23542300x8000000000000000969250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:11.604{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74DD43D9CA472EEE5A82506B1E1E94FB,SHA256=525E83815DBDDF384976CCE0EEBCFC044507030B593EED5D60C0E654331025A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:11.542{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=022569D715EB9F45FEA67C36AF1A1C46,SHA256=BEA87CDBDAA0DD238FBD44783EB7DA2328C04BB21AFDDCDFE82BF2B28E372102,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:09.803{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52869-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001039034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:09.164{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49893-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000969249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:08.589{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59005-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:11.276{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7F909D948980F81DF6D94DFAEDC6BE3,SHA256=3535D3CCDF565F456F4B764C7945B9EB523405B9E9086B4519B3EA45E9A6A7E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:11.276{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09AE9B53B73E49FAD5F6285D352C2B7C,SHA256=D69BFC2339DA0E138D0C92A2C80A8B1DE5B2E40941B9B0BAD76530A78FC36714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:12.776{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC85ECBD480F686DD4995EBAC44B4B8C,SHA256=5F818A9D0EEAC31B8C1119B819620718E6F7478F4E5CC416330F3EA4F51F9B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:12.557{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1879711E0E257D650673191BA3BEBF98,SHA256=EEB2B17BBC6FACA7D8633BD0ADBCEA92834DF45261D4351698D741F6375515E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:12.745{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:13.791{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=182C67F4406E734E97436FB34722F0BA,SHA256=08174B45465BD914C1298ED183108B66F208B3DF620F0A58CED7D7C3D41DD87C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:13.575{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21E672909C07D9B0719AE2244D6952DB,SHA256=7E5B414CB58C89EE8446D16A8B8A8EE37F92A674D83D77F00651F1C8FB3A0FC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:14.593{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7309DAE23397564710AB3F75FA84B3F,SHA256=3F9594D654C3335CC5F0F7A5D807C794C348D742106557F7D0684C73E1275FDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:14.807{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B667CADE6CE225A7843B136CE96A5F,SHA256=A4779824C9DB71E0A51FF9E57E6A2F9649D69B9D03254FDE2A84AF1BB86152C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:11.455{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61169-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000969255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:11.378{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58858-false10.0.1.12-8089- 23542300x8000000000000000969254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:14.166{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7F909D948980F81DF6D94DFAEDC6BE3,SHA256=3535D3CCDF565F456F4B764C7945B9EB523405B9E9086B4519B3EA45E9A6A7E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:15.823{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6E144829FA0EC3FEF19E402007C07C6,SHA256=91138301C008BF70C930320CBBC6BB37368A3EC8575BFCA3444C0EBC33A7F371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:15.623{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98527F520D7C53D5A69ADCFB1C627BB5,SHA256=2803D66AEF87B79466FAB9EF7BECCDD45ADA82FB381A7D45BAB2C5D2C56C11D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:16.838{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F27D27033CDB6BB52F59DF62D5D2681F,SHA256=9B0E0AA99A3B9804B3A93915284224E519CC68DFFC0926492A049B2A92CA307D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:16.923{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6AF02C891A5510A67BBC97DD2B49862E,SHA256=9A779741EB2F4B31F1D76AB677052072BDACA28BF7650E69BCFBB33A960E957C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:16.923{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=815B72B1E0698F2455192C4FEDA4CD2E,SHA256=1ECC59DDA7EFCEA5CE726FDB71C8BF0F08507B9D1613EFA551604AFCE2075773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:16.654{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0298A9449E2072A2CD26A6EFDAAE9A3E,SHA256=8FD26FCDFBE437FB53E567EF20D3333484E6E0312D4CE04A1D4E29E9D5D79CFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:14.884{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52870-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001039043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:16.423{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001039042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:16.423{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001039041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:16.423{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFfa6547b.TMPMD5=A17B66D50B2357EACCE2ED2DF6BB26CA,SHA256=94B227138FA3BBDC703334C2B58C4ADB8CAEEC359A8FC16A5D99B6841C804924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:17.838{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F9202311685F38F643AABAC7A1C2572,SHA256=15F63B7D6A8950CD653DFA24BAD171D0B53AF9ECB9DB46628DC528A4FEE9812D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:17.675{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FD9B0057B5C1843DC6A6A61F012C833,SHA256=E84C8815093989EB40F99C3D6E2E6DB55712C0AEE25529B3E64E0DAFC8AA71D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:12.878{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58859-false10.0.1.12-8000- 23542300x8000000000000000969262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:18.854{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B825DCBD9E6C82820A99B1917019F270,SHA256=DEBC089D85134FE4A147B0B875F995AD4A158B73D3F3452F81B91BC834BF9DB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:18.692{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADF47F6799ED7D0C5F2857922C876A5A,SHA256=2C42CDEEB057A266EFBFAE77C02CC826CC20F455659B0CF222B89A3825156384,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:15.584{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52871-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001039049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:15.584{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52871-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x8000000000000000969265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:19.870{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFA33293EA12BAD8A7B91F45E870C3BA,SHA256=E2F41605468EF59AAE3D818BD5DCF7164069F19447C39E4408ADA5B8DA506D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:19.707{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F6D410B2917C28129907B6B48C5E76,SHA256=FB7E7B53DB20A7FD77DC0DC2B332D74CD09871BCC62A3DAC004E2604D678E98C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:19.745{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73DE47C4BA9E882F45E245D4BA0E341B,SHA256=5CBBD8DC18BCEEA7716A5FD1112E9688BF0CDF19A167975630495F306E0571A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:19.745{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C8FADFC53218638FD3DEB1528588A54,SHA256=BBE2C6849966D1F2358D51893B5F02E88F69949CDA9DA27AE573B70B6CBA5993,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:20.885{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12AF5012344F806F70E128DA51A00304,SHA256=4EB1441C9FF0E92B2B978F5DDD4042C22B32AE93182092BC261609671CBA031C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:20.791{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C2E970BC25236B72F0AB036A26A421E,SHA256=5FE58AF95B6147D0FE8406B4D2879CDE8C7E2D5407D90B7A5115A1284207ECF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:16.278{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55182-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:21.886{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6648E3B4B3F2DCEF1D3FE8B5A1D6983C,SHA256=1DEFE645CED6188AD0288F131538F91B4C6ACD3178AA2C0CEB1EA2B3EFCEF303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:21.837{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE8ED4AD2939E312764E4B4D2104B28C,SHA256=8D6A856AAC70885E08D842BB8CB3DCB042E9D4981DDC041DA2CFAA6F4908D2E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:22.902{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB10EB0C68C12AF0A5792266E978F0D7,SHA256=36445036063159ECD5815022DA9BF1CA3C2DEE32C08D0B5B490A172FF3379473,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:22.852{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2B10C5CD22DF3347110C9619F53F61F,SHA256=B0CDC62ABD7073946314F22730C7DFC3CF541F3B27E24BE40D4B06BE6C9243F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:18.800{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58860-false10.0.1.12-8000- 354300x80000000000000001039055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:20.782{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52872-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001039060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:23.872{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D23B65E52DF8E8DAF47082130D483D85,SHA256=45083BED2A2DE62A4A06689843E49C869CB845A566DDD915C336F31CBB366F12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:23.871{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6AF02C891A5510A67BBC97DD2B49862E,SHA256=9A779741EB2F4B31F1D76AB677052072BDACA28BF7650E69BCFBB33A960E957C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:23.870{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D983719480258DDBC7620B23C670BAA8,SHA256=0B79DCAA2DCBEF740811D3B5A4E28DC1167422ABC598D485C2E787D2DADDAB3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:22.222{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58258-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000969271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:24.136{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57F189A2A96799FE306BD1CC2A3C4721,SHA256=CA488623BA0BDADC95E9AD631B0126B90CDB80912080BE1F2B13227B55B4AB4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:25.371{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219572C7B828EFB4DE273FE174C32AFD,SHA256=E6577E277684CD6D16DC4C54A0B6D16CBEF17991C3A12077973BE6FB964B3647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:25.103{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13B130A31AD8A5E366176E712381E64D,SHA256=A6068C104606E0AA786E093F1B56F76FD9392003DA02ED3423272CD2048EB8EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:24.721{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com5692-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001039064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:26.389{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4265MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:26.333{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D23B65E52DF8E8DAF47082130D483D85,SHA256=45083BED2A2DE62A4A06689843E49C869CB845A566DDD915C336F31CBB366F12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:26.118{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=518DA042C8827E5FC42E1B042A09582C,SHA256=F58455EC18D6FC49F213B400956DC700416735058676E25099FB5AFDE869BE4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.855{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-80AA-6151-9078-00000000FD01}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.855{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.855{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.855{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.855{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.855{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.855{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.855{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.855{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.839{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.839{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-80AA-6151-9078-00000000FD01}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.839{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-80AA-6151-9078-00000000FD01}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.841{69CF5F33-80AA-6151-9078-00000000FD01}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000969287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.511{69CF5F33-80AA-6151-8F78-00000000FD01}23802028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000969286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.402{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1759F42BF5B7880AD992A9864855F7D9,SHA256=4E0F28B9C6DED3FDFC84402C12A8B145FB87C8B642E4BD1DA69B07F65E572A2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.199{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-80AA-6151-8F78-00000000FD01}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.183{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.183{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.183{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-80AA-6151-8F78-00000000FD01}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.183{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-80AA-6151-8F78-00000000FD01}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.184{69CF5F33-80AA-6151-8F78-00000000FD01}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000969317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.480{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-80AB-6151-9178-00000000FD01}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.480{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.480{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.480{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.480{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.480{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.480{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.480{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.480{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.480{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.480{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-80AB-6151-9178-00000000FD01}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.480{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-80AB-6151-9178-00000000FD01}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.466{69CF5F33-80AB-6151-9178-00000000FD01}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000969304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.433{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4658B002FA5E7D0DB3396B354D94CFD5,SHA256=6E4AF55071A0FCC8F1C6E1D28D5C644D0462561F1CD2ED9AB2FD8013C81CF48A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:27.402{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4266MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:27.132{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F680389FD70F1272B90D7CA13879AAE,SHA256=A13C759A03E09C89081B7F9540E1B7C3855AF2FA5E3F3FB84002C0D334A5D203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.199{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25F64FA6CF8F679E986ED1BC2F679CF6,SHA256=DEC412A1B5E346AF7E952442615DB43ADDC963DD73CA1B90D1A646329A7FE04D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.199{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73DE47C4BA9E882F45E245D4BA0E341B,SHA256=5CBBD8DC18BCEEA7716A5FD1112E9688BF0CDF19A167975630495F306E0571A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.089{69CF5F33-80AA-6151-9078-00000000FD01}32523720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.855{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-80AC-6151-9378-00000000FD01}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.855{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.855{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.855{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.855{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.855{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.855{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.855{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.839{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.839{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.839{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-80AC-6151-9378-00000000FD01}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.839{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-80AC-6151-9378-00000000FD01}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.840{69CF5F33-80AC-6151-9378-00000000FD01}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000969335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:25.762{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com3939-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000969334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:24.785{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58861-false10.0.1.12-8000- 23542300x8000000000000000969333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.589{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B7B739C1C4727A8DCAD6E45E4369CD,SHA256=840454A17648D2B0BB2EE38B0A6A8393D5DB76200F35A3D109E25A768E887E12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.589{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25F64FA6CF8F679E986ED1BC2F679CF6,SHA256=DEC412A1B5E346AF7E952442615DB43ADDC963DD73CA1B90D1A646329A7FE04D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:28.216{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8D2CF5CB95547761A14CF472B1E7F3,SHA256=08B6AB5A7AD18DDB7903CDDC88DBB7F1C25E5B3E80A64DD901417F90E6543633,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.355{69CF5F33-80AC-6151-9278-00000000FD01}24601404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.168{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-80AC-6151-9278-00000000FD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.168{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.168{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.168{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.168{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.168{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.168{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.168{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.168{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.168{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-80AC-6151-9278-00000000FD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.168{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.168{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-80AC-6151-9278-00000000FD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.153{69CF5F33-80AC-6151-9278-00000000FD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001039069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:28.185{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E8FD909CF34D44301E437231EBAC737,SHA256=590D00290997022B3EF727D4A52906F50FAE95C6497259AAAA8486A7CEB1A9D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:25.893{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52873-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000969362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.730{69CF5F33-80AD-6151-9478-00000000FD01}716916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001039073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:29.315{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7111EF5BA7D86B72260A563490FC5843,SHA256=16245C96DE697D2DF91D6EFDEE67E36DE4943F2D6C6E425ADC0405807E1C1327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:29.246{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07E1861623ADCC5D9C8A83C85A153730,SHA256=21A774E9BFEDBCC59CC0EF15AE61D9EC4E5714E9D6197899230464F0FCB574A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.543{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-80AD-6151-9478-00000000FD01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.543{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.543{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.543{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.543{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.543{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.543{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.543{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.543{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.543{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.543{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-80AD-6151-9478-00000000FD01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.543{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-80AD-6151-9478-00000000FD01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.528{69CF5F33-80AD-6151-9478-00000000FD01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001039071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:26.541{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-56987-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000969365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:30.824{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E684BAEC815776310B0133B0A34A52B0,SHA256=DD36B61B929B26F0D5DA49E0CCA435514DC2343195061007B2FE3B0C7CED0E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:30.267{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=612242C9B8488C3C3BB2647BB7DD1E1D,SHA256=AD730EEA7767FF47EA8EC7F29A5D494EF1F5661B4F6420CFBE6D545382A07FC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:30.246{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=025D94CF621019C6DC5E0FD6DC0F13E1,SHA256=68F91ED410A60AA7A298447E69F55796049D98D0BDB6B98E85690D07800D5292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:30.246{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=445ED1CB9549DD3973DA82C24B137C9A,SHA256=884D1B5708DA86FE38A519A5A74D19A4D9CD77B3BF5F715F47B1279408100514,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:27.205{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61368-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000969366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:31.918{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4012FB04081534FB5970D7E3A48598F,SHA256=26D73583AAA6926D0FD37F69128FB689F8F19B2C97FF8F3A9A7AB1820CD151E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:31.312{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD2FD79124DDF35D7CDAF8F4D6A5772,SHA256=5BA3A5E70FCEE89D187C5ADF72C8AC526C48004AE814A1F19E8E884B54FD0055,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:28.961{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-58862-false10.0.1.14win-dc-429.attackrange.local49672- 23542300x80000000000000001039078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:32.328{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DBC59F028BBACA07CD76F4A3E98BD4E,SHA256=D25B49A77E5BE7B66A33B690F2552A46CB7F0FB29F0185EDABA2A314E967E294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:32.214{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=36BD2AB25939DA3A323E149C72D4D0BD,SHA256=51AC5FD4A95F2C294CE3A6F8B56F7BEB23ABFE60C52CB2CFEF15A3AFE8C3D706,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.907{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58862-false10.0.1.14-49672- 23542300x80000000000000001039079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:33.359{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35B42010A92714E753C5C0B98FE8F9ED,SHA256=77439C84B22783FFC3EB3474997732FB05CF08A5B0781E4586E055005ED090CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.956{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63670-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000969371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.801{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58863-false10.0.1.12-8000- 23542300x8000000000000000969370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:33.059{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=109F2CBD5AB434422C71CD0964884FCC,SHA256=71AA39BEC5B3A554F21C0DD7EBE853A27E4F62C9D7F8E341AE58485524FD3695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:33.027{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC2880B7A5123CE6138495AA1A0E72C,SHA256=BCBE81CCD14A9255EA70E70CD3D18B8FE4CB01D92719E53C20AEF4A20D171B60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:34.379{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC56A1958FEA2BB58B1308B2048236B6,SHA256=D9032113104C15B4FE7B518471087F16B0E01F00C944F607D561659123BA8ACA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:30.724{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-60406-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:34.027{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9739908C7F19FFB573F4C345530C9E03,SHA256=EEC17B334063C0F4425B047820C45C1255724E83A913066CAC5DEB7D30E69239,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:31.850{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52874-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001039083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:35.594{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:35.409{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83BE22CF8FD949E1010529C6971B234D,SHA256=AD6BF8C9863D1CC7AADE97C78D0F578591A132171000329F709F65D35B846579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:35.589{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D2D6429778605B86D7B78B9DA3F842C,SHA256=8629E7A062581D06D0D83D922F191D5EB17638145CC4BF8896C38376D1D30DAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:35.043{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98CAA351AD85517455767232447CF054,SHA256=03C9A3E2E3EF85DFC8EE66EB6AE5068303C70585473FB1C62AF5A0C9321D4E71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:36.909{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F55B5F7FA08D4BBFDBA287E3E03DB94A,SHA256=F0D03685A376E548AE95BA9E95341C4BD0BEABE5E268B22BF41F74257BB6A569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:36.909{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B969F6C14087F405236BE316056D503,SHA256=ADACCFF629484BB60E38A4C36FF8ED102BE7CD791A9B06F7E2E4EB68B8D96A00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:36.509{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A663ED510007FC878D23D6E16D2B4F0D,SHA256=5693C8EB4C6CD0DAADC4E3D03385CF939815B17E1066DDD2EEDD833AB068E4C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:32.872{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62333-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:36.058{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29119FF425617276B10CBD1D7E25B18,SHA256=CF37F8B43292A053318F0168581F2C2E55BB6B1DBD9DEAB27B0CC520A5E570D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:37.524{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD83ACE0850BCDA65EEC03080015D15C,SHA256=512FE21DBC954B33BB0BB651E9645BDDC3BD8F246D5C84864CEC55CF7B4998F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:37.699{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0D7D011AE8E2DBD02B30DA0EF280CD8,SHA256=832FEC70801F16B10D6496BCAC473FB57B49721421A0E3A362AF629534341110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:37.058{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A28CEDD7ED3B408C4B9AB62A8B53E5C5,SHA256=58DC17064A401E877E670D117974EBF6C321C6AD3816417FF79E570B0D396BEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:35.270{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52875-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001039087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:35.264{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49952-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001039091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:38.907{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=AE1C649AB2D406A03D474DC498C41CCB,SHA256=845543B340B205C8E916264DB27FEB04C61D1FB051270F9399010D2CF3552432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:38.539{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=418791D07382ABCBC5008B3A5D30BE5D,SHA256=87341089CFB3BB2833B911ADB00AE1A1AD6CC340AC1D8474D6702B342EA8B631,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:38.418{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-80B6-6151-9578-00000000FD01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:38.418{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:38.418{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:38.418{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:38.418{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:38.418{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:38.418{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:38.418{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:38.418{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:38.418{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:38.418{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-80B6-6151-9578-00000000FD01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:38.418{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-80B6-6151-9578-00000000FD01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:38.403{69CF5F33-80B6-6151-9578-00000000FD01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000969383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:35.770{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58864-false10.0.1.12-8000- 354300x8000000000000000969382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:35.041{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50608-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:38.074{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C9A7463935352B65022D74542966E9,SHA256=277DF39F053C6DF805CE780502D53FDFE471D67545D4E438AFCC1CEF77A234B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:39.656{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB0E2E812E39EC25B59394699BE26E48,SHA256=990C59753E3DCF87DD4F3854D753A51A603C8D80706F24DC9BC2FA6225B17AE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:39.589{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7CCDAA95E58E2C7752FA09D6A79CE35,SHA256=7C67DB9C7B62547E2B1273B5FD2A7FE395B6C4B67A25A7B954FD7710CDF0F251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:39.074{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA62BFDAA7435CA2C33B5B170EAEC24A,SHA256=AA12A92E12F0D9F37AB58C3CD312D588F7FEEC9D7A39265046D2A544DF6B687D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:40.673{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0F703FC4684BC4318E6A27777F94C81,SHA256=F99CAE6D9C3EEAFA585D5D565E17A1F06A983604309F91032943DFCAABCC2834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:40.074{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6254D68CAD133EADACE4506412340117,SHA256=0F194E51DCA16740DCA473EAFBB0A8A364129BB1791CEE00CDB4EED869A92115,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:37.746{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52876-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001039097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:41.704{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35E1ED5E1256BDE395991F4BA9CE7023,SHA256=608F946039D77350856CAE15AAF78928C42A41DE32E814EAA7BA13CA07973C7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:41.089{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BD5B3101CA16BEC590B12B0287C7F99,SHA256=CFB72DFA3F01712DEC7FBED717D5CA711D41D501D665547FCD6559D1D99B44B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:38.841{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52343-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001039095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:41.433{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F55B5F7FA08D4BBFDBA287E3E03DB94A,SHA256=F0D03685A376E548AE95BA9E95341C4BD0BEABE5E268B22BF41F74257BB6A569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:42.734{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1600D209E3E3E0C982F1A1070BBEEED,SHA256=2C687BD0AF43C74EE6BD48591A41537A7FCF5FE03759852CA5FBA3585500C743,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:42.094{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78A9D1560E84B8F74DC483406A04436,SHA256=91D32446ACBD3270D5CC1BB77633366BF158DA5AF58627AA1BCF0FF03B3F2CFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:43.817{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E8A1F13681904C3A8A975440B5E19F,SHA256=20DD812F1CCACDFDE3E710A171120BACEB40FC3CCDE8928A2C45CAA7AA6C5F47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:43.109{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55DCE2301693A9D6C5A0CECFC1F836E9,SHA256=3679A5F97A5768904310B397F4C464F5178616212B99E563C1663ABA5857BE07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:43.652{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5DD622F40D09CC5CAE122B0DA6795FF,SHA256=DBD488544333EDE17A3C97736A8C89C077EF7602BB769C524F0F73ACB9EFC368,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:44.833{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EEB4A8EA22FE78AF51012CA9C362B1A,SHA256=FEB9A8904012A7F667773CE4BB76BC1141021ABF6585312F846C0FD7B9E9344F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:41.743{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58865-false10.0.1.12-8000- 23542300x8000000000000000969403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:44.109{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A96A9FA224E571976FCD211092EEAA17,SHA256=BA6318ABACD628538C0047F49407267117ED171C7BFE739045F8E9F75DC5C4D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:42.040{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-53008-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001039121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.853{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B98D7C5C4E7FB112EDAC893C7C55A3,SHA256=92D780803C1D7B1752593A483B526FA481D677C1D5780D50B55C18DEA7C77B2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:42.610{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55433-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:45.125{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F63ED821F6FA037C92FC13A16D625643,SHA256=4C2104F43763FC172E11B729C9EBC83F425FD73A93CF015E19E30B78C596CE35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.816{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-80BD-6151-E778-00000000FC01}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.816{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.816{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.800{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.800{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.800{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-80BD-6151-E778-00000000FC01}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001039114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.800{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-80BD-6151-E778-00000000FC01}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001039113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.785{5EBD8912-80BD-6151-E778-00000000FC01}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001039112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:42.878{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52877-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001039111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.302{5EBD8912-80BD-6151-E678-00000000FC01}49486748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.101{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-80BD-6151-E678-00000000FC01}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.101{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.101{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.101{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.101{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.101{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-80BD-6151-E678-00000000FC01}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001039104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.101{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-80BD-6151-E678-00000000FC01}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001039103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.072{5EBD8912-80BD-6151-E678-00000000FC01}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001039132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:46.903{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F92E0EE50DD6157FF8DF17CBFCC7C6C3,SHA256=669C8CE7B85506B2735A40885452BC11F24CDC070D01D9EB867494D0CACD0BC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:44.676{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-55786-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001039130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:46.503{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-80BE-6151-E878-00000000FC01}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:46.503{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:46.503{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:46.503{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:46.503{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:46.503{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-80BE-6151-E878-00000000FC01}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001039124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:46.503{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-80BE-6151-E878-00000000FC01}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001039123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:46.498{5EBD8912-80BE-6151-E878-00000000FC01}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001039122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:46.082{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0CCFE0B5B40A0A04D91E3306D7AFC26,SHA256=9F7057D47F5437C6E274BC3E4AA99FA20C3F5AB2425BF4427E2148B35B6E4BFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:46.141{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29064D580E52E3E72379E4718AD5DD3A,SHA256=F06EB110732EC42C33E679A503AE71ED7A90F5612E14D9011A24139D3E979592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:46.094{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=371C7235CB9A96BBF0FA05C37E64EDCE,SHA256=B20AFED087AD94F8C1DA456449B657E6D90F8A87E54F63771817344251DD4066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:46.094{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EA79CC9228A4948E570D8BA0A42E18A,SHA256=AEA7A0579FF833ED456AB17E1F38AC8B8B0A858FA5F960950B03EF0098A98A86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:47.917{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F266C8417257CBEC8933CA22C39A5F81,SHA256=5A6F1A580CE156887ECA596E144ACF600E33A7862305D868D15B8EF467B17FB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:47.156{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD9F37E62416C892B85BBD3DA7EAE40,SHA256=C55686D2EFD1EB26565EF37664FC0C8AECFBAC5AE388EDE16C3725623ADEAB00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:47.518{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00CB8E18B77700663C1459899F9FC871,SHA256=FEC52A409D47939E3AC019A18EC76FA02ADBE68A39ACF6BDDA9F648C1F4E5C22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:48.932{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2B0934BEB20C7DE6EB45E7D1131450B,SHA256=CE886F90DF986FD7BEEED752F6D0AE629F45CD1E162FB5F6BD77856F8EBBE8AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:48.156{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E789A60A0C163F4AEAA9ECDCD3AAF0,SHA256=F5FE2DA345769F3D912CD5DEEC490EBB63247C6B980BC80F92B7314C3ADA5866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:49.948{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7BB838D49117FC86ACDFD036090B316,SHA256=6C7F3AC168E8F502DE520CF0EE665E7321D1E66D7F76F814FF9161E5BC1EEEC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:49.172{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF99FDD9CF0FB840EA7B73880934D420,SHA256=0662392AA69E6109762E74EAF292CF34A969F0CCC02D29445CC1D3BFCFBC44E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:50.963{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B47542D11CCA056E2E950407545377,SHA256=BD77D191E0C7B0F7B6B726D6CB948566723D9AB3F1847024752E54989FB2C427,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:48.809{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52878-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000969413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:50.172{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE719CB6A8966771D0D9D864DD80461A,SHA256=4973722385F1B9EC700975E5E560C8D9F59B8E07E5F3A671F7C5D3C348C5760F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:51.995{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B8EE31F3512A9B784818B5C8F71619C,SHA256=6E5A50FE6438E4930A6E2C1076E978F34B2CE4EE35AD9C3F987780EEA3C82492,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:48.388{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59428-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000969416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:47.696{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58866-false10.0.1.12-8000- 23542300x8000000000000000969415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:51.187{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B149CBD63694DADC9BCC1F6D7C79F66C,SHA256=8B0205672B59AFE32746F63622EA79CB92B6E83B385A679A5FE14533C0A34CAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:51.078{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=371C7235CB9A96BBF0FA05C37E64EDCE,SHA256=B20AFED087AD94F8C1DA456449B657E6D90F8A87E54F63771817344251DD4066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:52.422{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1C6ADB42E244B0670E50F3FB88CEFAA,SHA256=17ECD9FB7FA8138F95C8157785010C151C8B1CF56D34250ED83E8B2DB893EC47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:52.234{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED740AD7740F403B2EC3942F2B3F33D5,SHA256=00972CF1E7C35FC3D4D6329E9696CBEA7623CB50E35BA8CCC44E8ADA8A32C6DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:50.284{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59551-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001039141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:52.677{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=631687F91EBF60F1AD3BA0B435F91AA6,SHA256=D9381918B89FEC6D2B7FFC3EDAF7BF30791A761BA15C93989A969A7A5F78A158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:52.677{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CF1CB623DCD0BDE51933E13873DD916,SHA256=1C018DAB4AD7629312E8E2C7EE110907DF4A7304F5FA48628EB2A63C82F9736D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:53.828{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26149334E82203A872390C9730D4B0EA,SHA256=705F92BD61AF5023D70C5282789A78065341A1B44D0F317DAB2E946F6E2AACC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:49.190{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59512-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:53.281{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5101099E38B270A4B2FF82DA1EDCFF8,SHA256=82306E23D7F2A97507988023466A8EA0822AD874B3C840547DE4384DD7CF5D45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:53.017{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F9ECCA1F35CE06224D6D62022B2D06E,SHA256=DB05632845ED2093AD7FAC560D7BEF47AD0106D1DC4D4EB99225197540DE4A59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:54.391{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77ABE916845634D6A1E166127723B163,SHA256=D959EC503F4DA46CB5457512CC6156AF4DF56906C360043ED3100D021DA1D992,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:54.798{5EBD8912-80C6-6151-E978-00000000FC01}54245476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:54.580{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-80C6-6151-E978-00000000FC01}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:54.580{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:54.580{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:54.580{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:54.580{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:54.580{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-80C6-6151-E978-00000000FC01}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001039146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:54.580{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-80C6-6151-E978-00000000FC01}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001039145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:54.565{5EBD8912-80C6-6151-E978-00000000FC01}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001039144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:54.033{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769935424925F8A8F20F0D3F07BB040B,SHA256=12C841EDAC515A126D798B4797A95A0046B7B00A89D560CF16E9AC9062E96CC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:51.128{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61503-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:55.422{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76AD01BB2DD12F6784E16F87EA0D9B31,SHA256=096B48AEF723822E0219B201CFCA670AFB3DDE41AEDF5FA822A84828FE6CE019,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.966{5EBD8912-79BF-6151-DA77-00000000FC01}21525336C:\Windows\System32\RuntimeBroker.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001039184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.966{5EBD8912-79BF-6151-DA77-00000000FC01}21525336C:\Windows\System32\RuntimeBroker.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001039183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.950{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-80C7-6151-ED78-00000000FC01}5192C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.935{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-80C7-6151-ED78-00000000FC01}5192C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001039181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.935{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-80C7-6151-ED78-00000000FC01}5192C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.865{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-80C7-6151-EC78-00000000FC01}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.865{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.865{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.865{5EBD8912-7F30-614D-1400-00000000FC01}11041400C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.865{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.865{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-80C7-6151-EC78-00000000FC01}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001039174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.865{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.865{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-80C7-6151-EC78-00000000FC01}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001039172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.851{5EBD8912-80C7-6151-EC78-00000000FC01}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001039171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.834{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.834{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.834{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.834{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.819{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.819{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001039165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:53.773{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61649-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001039164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.617{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=631687F91EBF60F1AD3BA0B435F91AA6,SHA256=D9381918B89FEC6D2B7FFC3EDAF7BF30791A761BA15C93989A969A7A5F78A158,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.448{5EBD8912-80C7-6151-EA78-00000000FC01}6400324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.264{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-80C7-6151-EA78-00000000FC01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.264{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.264{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.264{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.264{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.264{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-80C7-6151-EA78-00000000FC01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001039156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.264{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-80C7-6151-EA78-00000000FC01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001039155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.249{5EBD8912-80C7-6151-EA78-00000000FC01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001039154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.033{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE44FA5D6197A19EE09066601213BC74,SHA256=F715CEFD9537E586C9251C3D09F4D5C3845BB725158CC2A55FCEA0013A8BAC26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:56.516{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49C64EA07B6A79679CF8461D3DD4D3F8,SHA256=281F96932AADA57DDB08D6A71DC06CD3D3C6CCFA2DBE103847681EB4C25D0321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.834{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95365009C599C59A3D7A295891C7AC72,SHA256=7CF113F35D56BBA52F95C79D19C9670857B1D88250658C20EECC90EB74722092,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.703{5EBD8912-80C8-6151-EE78-00000000FC01}62844384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001039195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:53.887{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52879-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001039194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.550{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-80C8-6151-EE78-00000000FC01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.550{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.550{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.550{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.550{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.550{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-80C8-6151-EE78-00000000FC01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001039188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.550{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-80C8-6151-EE78-00000000FC01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001039187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.535{5EBD8912-80C8-6151-EE78-00000000FC01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001039186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.066{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37758CBFC5B2C5F07AD0A5C083925E1B,SHA256=BBFA9A7232CADA5A7D6A362F97E965EB298C39F943B008BC44C0AE642C681DC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:52.727{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58867-false10.0.1.12-8000- 23542300x8000000000000000969428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:57.750{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4960FCE7811E5D13540DDC9BDF42776,SHA256=4EC248D0872AA6DF57FBA87263BBDC8885A3319515B75C493C53A7A8AD4E11AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:57.434{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D229B7A9E595864CBE2B5A0254814B50,SHA256=EE367F433E6C7E5A1B9B60BFA85280F6FD476C4D0ED84AD52083E620C1A32AC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:57.434{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2F142E3897B0E398DCBE34AEEA78A3BE,SHA256=BDCCDAD2E6B1B19D42312688C9E7766C48F95A00E754852A9FA8E84636B7CD82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:57.180{5EBD8912-7F2D-614D-0B00-00000000FC01}6242836C:\Windows\system32\lsass.exe{5EBD8912-7F11-614D-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001039198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:57.102{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF30CED3DC3D5EB3BDFEB3DDE3475DC2,SHA256=70A5CB86367577E6DDFAEB368C45751B14AF8F005D63C3BF3B72B9B73B230EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:58.844{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B5BC1C884FC1FB8C39D322CA3C3FB6F,SHA256=1449BBAB3C4EFEE1BF8014433B87CB845CB44371042D8516DD68CC837E646D78,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.876{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52882-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001039208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.876{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52882-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001039207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.768{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local52881-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001039206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.768{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52881-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001039205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.760{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52880-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001039204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.760{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52880-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 23542300x80000000000000001039203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:58.118{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DFC280F9E1090140DE874E8D595ABFB,SHA256=8DF4DC7785DC7519CDAAD4011D1290228347BD09C8C3E9ACA4CFE1BC87F96F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:58.080{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0588086823CE8C40007BD0A4FB551885,SHA256=0385E6805103E2448DE911494890C2D365F5FA12EED0554F1453B8B3209E4D56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:59.953{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88DB222629E1210395F14A40F0606B74,SHA256=BAA89FB71D86AB5477AA4591689BED0D8F90479A996096245EC2F2CB396F242D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.935{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de62515-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001039211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:59.716{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF3D54D5AE1E7B4F6FBFE23B9BB297BE,SHA256=9F098C9B2823EF6D9140A16F82F9558396CD13AA532668772785DFA05601AC80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:59.132{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0694FF3CFF17DB93358CD035FAC22BDE,SHA256=6142DB2196FE92E7C0B23341223FE6AD74CDEB5D10C974E8D68AFC0CE8DF6835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:59.455{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4266MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:56.364{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de52209-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:59.281{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=118722B730A2C2CB1CA33B30A698EE26,SHA256=6B86B3B5C25FFEED929E7E8B66559F03444D94720D0D6DA6AB8523B78A98780C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:59.281{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22A760D6745932BDD3D694525A085547,SHA256=EF6A7707115CC34D13C2E8955DD2718E631B9380E9877579A335194491F83E38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:00.967{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE61F2EE320FC76D0988E20E7C924FFB,SHA256=02B16FA2012B5C485B3FB73371FC0DB58EF0A970119E9F5494E8AE1361C3B68F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:00.162{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C076EFEB5612EBC2B74C494CAEE53E79,SHA256=C9578F7D53AA15C559271F4BAED8E4D1B7DAC524E3BE35E8048BD9C6D64E16BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:00.469{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4267MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:01.195{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4407AAFD4015542979AB886357FD8C,SHA256=488D865F713310ACD7B59CA4F8545199BF848A7CB8C799B95AA6EF642DAF3616,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:58.758{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58868-false10.0.1.12-8000- 23542300x80000000000000001039215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:02.214{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E8E578E0A7D66DAFEC1EF94B256770A,SHA256=58EA2047651576D7EFF44383C2641E5984E935F489F62140BE162B2FF35248AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:02.001{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9F52CACAE43DAD8ED07C65DA8335C36,SHA256=5A904BD79AA01C3D66056FF57D3CB7F686F750CFE0B86FEA357CCE5C9CA06ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:03.228{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FD95243D8EB9707FD04AEF6843D3CD6,SHA256=3F364AFDBE597E64912F81EE93EB04BE72560F9D04435AC4F8EDACA5D2D590A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:00.719{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50130-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:03.220{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10EAFEE5BCBCF0BC308CE0034F60B897,SHA256=73068AD35766724CED97DF15A4F439703B09FDAC1222AF3FF41564F8EEBBE0BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:59.838{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52883-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000969444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:01.510{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50745-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:04.329{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A91467CF108AD9B88C596A4DE8185C63,SHA256=E9D75CED9F14D70C74D73083878C2B5B0C76F2F77BB55E656B9CF2FDFA1E39B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:04.329{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=118722B730A2C2CB1CA33B30A698EE26,SHA256=6B86B3B5C25FFEED929E7E8B66559F03444D94720D0D6DA6AB8523B78A98780C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:04.313{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983B71F445A2AC2062FAE8B635037C26,SHA256=FEF01264E0554ECD55C8E36154D4ECBF6A39A6DBA78F2F5069AE2772EA5DCD02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:04.245{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBDDF93E6137587525145240B57E496B,SHA256=101AB999C977EB0631E2AC174DBD6154377C5014A424D975DBBFD412136DE2ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:05.313{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0675AAB055139E961F14303AF6B87C99,SHA256=844161DCF41DC0F3DF82DF27604B3EBEE83BE28D4321B3E7FA925C7ED3E3DBBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:05.859{5EBD8912-7F30-614D-0D00-00000000FC01}8886076C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001039219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:05.260{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2512CEB3342787AAA6BE400A5C654C34,SHA256=914B7FA7BF3B2D64047443E1EEFB95B43E8E186891511BDD823D35C36A01D8DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:06.274{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF64041C885DFA344C1D2D97A3CE136,SHA256=2376F82F861288A0F8286F37B2267C456B661EEEA2B9C8109CF6C65D4716738B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:03.761{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58869-false10.0.1.12-8000- 23542300x8000000000000000969446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:06.313{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C1FE2CB74009F23C1FF06A3BD5124B4,SHA256=335B39F15503709B54B88295D7F62CE0B15352B38176542EDAA5A0CBB31CE5FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:07.593{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87F17FFCB16ABDB3C44D97F424B92053,SHA256=AADFAFECDC162E6BB89125B4C2555A0EA22E619A38E93AEDC8D4D707A234C48B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:07.592{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0691F3A6A0FD99ADE1FC2DB6639F602,SHA256=A6CB30EB7B50F2757694CE6327975B1497A848C326FA60EC3D05BE7AFDDE4450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:07.358{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83DC0BFA998888073E7A8C431732C7B1,SHA256=D46F35C762100BE89D7348B71C354866734CDF7C2790ABFBF65410006C0B9B1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:07.329{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77794D88BD69334B45696916FF20A392,SHA256=AFBD3B49C82DC2C1935F6452094618DE69E9CD4ADBBC67355353A0EF8F41912F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:08.344{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DFDDFE4358E10175421883BCB818989,SHA256=DFF1FCC67D26A617EB62478A069E839A98B86CF1020BC6E997E2664130F77D38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:08.990{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87F17FFCB16ABDB3C44D97F424B92053,SHA256=AADFAFECDC162E6BB89125B4C2555A0EA22E619A38E93AEDC8D4D707A234C48B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:08.372{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D570884B1FAACCEECE67E17CCC4F8809,SHA256=00DE23857446ADCDA005E54327393750704ECD6DCB47BCD39C68077B5A922ABF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:05.946{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57219-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001039225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:05.819{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52884-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000969450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:09.345{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1A8CF5CFB26712402CBD608D20A11F4,SHA256=AB314574B84A2788423FC75F6775BE327CD6914A4522B57F11D3E5D926EEC956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:09.373{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=962F07668AF6500A3201EA838514896C,SHA256=7B2F2242167DA1BD5318E56E574A14C5231864319CE68F10128FEB3B764F35A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:06.756{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53394-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000969451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:10.391{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9830D4D70906411BE7C2FEBC2B1C028,SHA256=F7C0D1BB9C412A6D1510138921983A88B44E0B19F74474731A7B840205D29774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:10.425{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC867E1646A600567B8C6B44E714FF35,SHA256=ABB57D8F1C2C8AE0B74739C3BE9B6A4FD5DC383712602C6DDD023913E5D89483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:11.610{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E646E0EC7D99212F8510ED43DF25683,SHA256=2ED0A4A74449B3E226E5E71D3F17FDD60BB316CF0B4C2CF481502FD63862E0FB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001039245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:29:11.629{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x000007ac) 23542300x80000000000000001039244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:11.456{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67FA38D930A9A92691993DCA3E752ADE,SHA256=102BF5A38EA2E2D9F49906B2C8B6702F5AF9C30D7AD7CF29CE7EE1378673B608,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:11.456{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:11.456{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:11.456{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:11.456{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:11.425{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:11.325{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:11.293{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:11.293{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:11.293{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:11.293{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:11.256{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:11.225{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000969455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:12.844{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0DB57BA3637D8D3C5A01C3861F9395,SHA256=96B8FC20E2E52635DCF410BA627E1B0C02EEEC622E6A95B2131EC15DC5CDECC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.782{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.782{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.782{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.782{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.782{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.782{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.782{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001039247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.466{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA0AA34E51E830C3F859CF94940AA3CD,SHA256=81EC88F88595E38D322766FC500249DFB1E2A879EBE623524CEE8C094F1498D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:12.766{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:09.790{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58870-false10.0.1.12-8000- 23542300x80000000000000001039246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.332{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A44210E00BFFAAF2CC2F7488F8C3F7B6,SHA256=6A7EAB65E4EEEF248AA1FB58D2465E9CAB0BAEA7E37060CEFB2D5811C3480539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:13.923{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=527413CBFA8C019528C69A41E997499A,SHA256=69BB2F5A1F66F29E3810207CEA42CE8B54656C8A9B92F55FCBE88938F19BBDED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:13.796{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DC0767FA3C82773EF4CC6F533A7D1BCE,SHA256=1E7034B7661910832DA5EBA78025DE260E7B1352D33AB9DE4506FDCF5DA14B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:13.796{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D229B7A9E595864CBE2B5A0254814B50,SHA256=EE367F433E6C7E5A1B9B60BFA85280F6FD476C4D0ED84AD52083E620C1A32AC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:13.534{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EED11CD25ED8D2F6381993C97719079B,SHA256=451944F37FB685AF02EF1445FA4F898ADBCC5388243498EF4AF206E46D8B46AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:13.397{5EBD8912-79BF-6151-DA77-00000000FC01}21525336C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79BF-6151-DC77-00000000FC01}5112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001039260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:13.397{5EBD8912-79BF-6151-DA77-00000000FC01}21525336C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79BF-6151-DC77-00000000FC01}5112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001039259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:13.381{5EBD8912-79BF-6151-DA77-00000000FC01}21523036C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79BF-6151-DC77-00000000FC01}5112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001039258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:13.381{5EBD8912-79BF-6151-DA77-00000000FC01}21523036C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79BF-6151-DC77-00000000FC01}5112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001039257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:13.265{5EBD8912-7F30-614D-1000-00000000FC01}3802328C:\Windows\System32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\ncbservice.dll+86ee|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:13.265{5EBD8912-7F30-614D-1000-00000000FC01}3802328C:\Windows\System32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+86c0|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001039255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:10.883{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52885-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000969458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:14.954{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16480567290D14858EBA312002D40E4B,SHA256=676C8219CF6B8F70D03F4D68554B7398897A82544CD72CC62EA17C7CD8526957,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:11.400{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58871-false10.0.1.12-8089- 10341000x80000000000000001039294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.689{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.689{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.689{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.689{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.689{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.689{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.689{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.589{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.573{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.573{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.573{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.573{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.573{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.567{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.567{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.567{5EBD8912-7F2D-614D-0B00-00000000FC01}6244740C:\Windows\system32\lsass.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001039278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.561{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AF95F7AD9AB3389D581E214C14BCB15,SHA256=E22B3EB7AB1676AB6342C236294D61D63635F71F1BD88E13592A03A37013B661,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.535{5EBD8912-7F2D-614D-0B00-00000000FC01}6244740C:\Windows\system32\lsass.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.535{5EBD8912-7F2D-614D-0B00-00000000FC01}6244740C:\Windows\system32\lsass.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.481{5EBD8912-7F30-614D-1600-00000000FC01}1268512C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.452{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.433{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001039272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.433{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.411{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.411{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.411{5EBD8912-7F2D-614D-0B00-00000000FC01}6244740C:\Windows\system32\lsass.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001039268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.311{5EBD8912-7F30-614D-1600-00000000FC01}1268NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\WindowsUpdate.logMD5=038356387332650843BCB352BB89A101,SHA256=492C9B102256321FB5598FF87ED5BCCAB8159F36DD8416CE4011FFBF5E96048D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.481{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-429.attackrange.local61155-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x80000000000000001039266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.481{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49262- 23542300x80000000000000001039265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.065{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E24D104079B278EDDC94AF640BD8BC9E,SHA256=9457777C03A0574B7F84B823B79B408CDDBAA4A06EC6913F9AE2242A8035C0C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:15.985{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5098BB67B891DC30E07AE180AAD7B00,SHA256=FFE267C907F840B20FAC3BAEC3FE7EF27276F899B6C1A12D81388E7D182C5A7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.835{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.835{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.835{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.835{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.835{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.835{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001039464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.835{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E2F7E4D2F8F1CFB329EAE98BBF6701D,SHA256=3091082F8F741AD5C48B595BB0CC6DEF237D9C341A63D5988643145584897071,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.819{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.819{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.819{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.819{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.819{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.819{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000969461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:12.362{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62589-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:15.048{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD4D451F1ED245B9B603DE11689CD858,SHA256=6DED08C12DE4327C3F0914A14BF6C55F933478771361E0840145BD5FDD5B14C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:15.048{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A91467CF108AD9B88C596A4DE8185C63,SHA256=E9D75CED9F14D70C74D73083878C2B5B0C76F2F77BB55E656B9CF2FDFA1E39B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.788{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.788{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.788{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.788{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.788{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.788{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.788{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.788{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.788{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.788{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.788{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.788{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.772{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.772{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.688{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DB-6151-F378-00000000FC01}1932C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.688{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.688{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.688{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.688{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.688{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-80DB-6151-F378-00000000FC01}1932C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001039425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.688{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DB-6151-F378-00000000FC01}1932C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001039424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.674{5EBD8912-80DB-6151-F378-00000000FC01}1932C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe10.0.14393.4222 (rs1_release.210113-1739)Windows Modules Installer WorkerMicrosoft® Windows® Operating SystemMicrosoft CorporationTiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=1571A4132449A317F66DF783E9468783,SHA256=5CFF48937FAE7F0CF5935248959141E2A60E88FE8105C43676B866FDAC36ADD2,IMPHASH=38FF53C1CCC1EE4C508C0F83A88C4E19{5EBD8912-7F2F-614D-0C00-00000000FC01}828C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001039423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.651{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.651{5EBD8912-7F2D-614D-0A00-00000000FC01}616768C:\Windows\system32\services.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001039421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.635{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42FC725199A7F0164CA23EA8B2425F5A,SHA256=01357A45B2BBAE1EBD5C033EB5CFEAE99446A99641AD6527B7F5D5E64CF09857,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.588{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.588{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.588{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001039417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.588{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.588{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.588{5EBD8912-7F2D-614D-0A00-00000000FC01}6162560C:\Windows\system32\services.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001039414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.580{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe10.0.14393.3564 (rs1_release.200303-1942)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=187076E4BC7B2F5FB7D54D1234B3CDEA,SHA256=7AE4CC64E2F0E5C58ABB6542233DA78B9AEAAD22C9D853AB96265EF3FBFEFABE,IMPHASH=648F735E453FC6802BFAECAC5ACA72A4{5EBD8912-7F2D-614D-0A00-00000000FC01}616C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001039413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.572{5EBD8912-7F2D-614D-0B00-00000000FC01}6241764C:\Windows\system32\lsass.exe{5EBD8912-7F2D-614D-0A00-00000000FC01}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.572{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.572{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.572{5EBD8912-7F2D-614D-0B00-00000000FC01}6241764C:\Windows\system32\lsass.exe{5EBD8912-7F2D-614D-0A00-00000000FC01}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.567{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.566{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.551{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.551{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.551{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.551{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.551{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.551{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.551{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.551{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.551{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.551{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.535{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.535{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.535{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.535{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.535{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.535{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.535{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.535{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.535{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.535{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.535{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.535{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001039385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:13.088{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52890-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001039384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:13.088{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52890-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001039383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:13.087{5EBD8912-7F30-614D-0D00-00000000FC01}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52889-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001039382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:13.087{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52889-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001039381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.998{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\explorer.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local52888-false20.199.120.85-443https 354300x80000000000000001039380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.983{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51119- 354300x80000000000000001039379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.806{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57191-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001039378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.543{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52887-false93.184.220.29-80http 354300x80000000000000001039377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.506{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52886-false20.190.159.138-443https 10341000x80000000000000001039376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.420{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.420{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.420{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.420{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.420{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.420{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001039370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.420{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66A9DD4F381B8C9163F264270820B2A8,SHA256=3F4AECA7CB05C686CFD47278C321A707438C6C92486F1D83D694B439B23A8FBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.420{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE5262526369879B290DE8071E40B841,SHA256=E6EA5DFABC0A53905A60190FB552A596B5B38E9F81D52660B6E4BAA8B2A89B77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.404{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.404{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.404{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.404{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.404{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.404{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.404{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.404{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.404{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.404{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.404{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.404{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.388{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.388{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.388{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.388{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.388{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.388{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.388{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.388{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.388{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.388{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.388{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001039345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.388{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DC0767FA3C82773EF4CC6F533A7D1BCE,SHA256=1E7034B7661910832DA5EBA78025DE260E7B1352D33AB9DE4506FDCF5DA14B2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.388{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001039343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.388{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B07DD3DCB3AE2081EE428FCA8FA046D,SHA256=CAFA6B250C84F2A7568536D9057F68FCEE2E0C307F653AA48DC6A2BF96D42B6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.373{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.373{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.373{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.373{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.373{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.373{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.372{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.372{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.371{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.371{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.369{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.369{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.351{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.351{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.351{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.351{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.351{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.351{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.335{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.335{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.335{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.335{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.335{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.335{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.335{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.335{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.335{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.335{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.335{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.335{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.320{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.320{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.320{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.320{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.320{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.320{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.320{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.320{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.320{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.320{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.320{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.320{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.304{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.304{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.304{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.304{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.304{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.304{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001039487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:16.950{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=764EC276F2C6D74EB950C4DFEC8CCDAB,SHA256=805612D94B05B83924F2F1E89CFF1CC068B25F2FF63A9E859DC9A05F6973820A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:16.950{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DEC119B9A9E1D08D449AD4D895AD4C9A,SHA256=7115BBCCD886AFCDA7BB307AFB1841B7FD221AA899124EA37AA790848DEFBB18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:16.918{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:16.903{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:16.903{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:16.887{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:16.887{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:16.887{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:16.872{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:16.872{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:16.872{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:16.872{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:16.871{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:16.802{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:16.787{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 23542300x80000000000000001039472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:16.587{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E8FEB962D5335620ACFE423B47C904D,SHA256=480D5B16B812F67BFAB56CD4ECF923B9EA242E86EF0F5C26D4A3C80FC360770D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:14.157{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58613-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001039471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:16.518{5EBD8912-7F30-614D-1400-00000000FC01}11041400C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001039494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.611{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50436- 354300x80000000000000001039493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.595{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52891-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001039492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.595{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52891-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001039491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.011{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64926- 23542300x80000000000000001039490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:17.587{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A5CB22439FF2F20CC038B71A559B9B,SHA256=088CB2C569A81DE8335A4430125A982F68656F70DA22C7223510BF4094F24092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:17.048{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7435756624088290980C12311D591465,SHA256=A6538B4DE74C4BC9890A99C9A24339E2980A42BF9F2C8930F80972DC9AEED5E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:17.068{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:17.050{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 23542300x8000000000000000969464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:17.032{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD4D451F1ED245B9B603DE11689CD858,SHA256=6DED08C12DE4327C3F0914A14BF6C55F933478771361E0840145BD5FDD5B14C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:15.697{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58872-false10.0.1.12-8000- 23542300x8000000000000000969466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:18.266{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795BBE8421563118D9586FFEEAFCE466,SHA256=92C0026FDFA4D9FA475B976CE5757209A3F391A9564846FDB72859035484DC8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:18.728{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1D700C95B5C8069A9E4ACC07909A43,SHA256=D0C70C34235BEB4F2343B30B9B7FF48145442A56807D63A2038B9D264E555A89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:18.653{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 354300x80000000000000001039496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:16.842{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52893-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001039495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.729{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52892-false52.249.36.201-443https 23542300x80000000000000001039499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:19.743{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7E18EA742AB7D07316A6653120E1559,SHA256=6AD435E6AD337D1E0CD7190D497D0B6C24BAA1EBC1B168ED2EB9DB01639F4B72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:19.454{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFDF57FAEA0A19081A1E48FBBF57B7E1,SHA256=4E6096DD70B410CF3254CC6B0EB3FA0C2730A6EEC252884CF115160B964E8D74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:20.747{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F227994E5FED707A60A07A2853B4A9C9,SHA256=2E85872085DC4B401040FA7A4521B20C1ED2542B76B6DCD0C33B23689C5EC638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:20.454{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46CCD369065DF1E6AA14D0D707C4022B,SHA256=367FCACBC69D7C1FC0C9AD5BBAFAAA3BE54FC2F8023DF2820E3B128B008F6268,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:18.042{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58296- 23542300x80000000000000001039500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:20.312{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A9783232D93BE454B3AB25D3014795E,SHA256=B6F7489C825BB832848630669FB20E6258B284256D794EFA0CF2B387C3B844F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:21.756{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC78110BD5AF2131E75AE6EC3020E618,SHA256=6DA5ADFD4C6FA6D0B1B2916F6790BF65F6BF9EFDA03E91AADA5AE5A2E712448E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:21.455{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE798FE5AA020EBAC5C96100BCC26521,SHA256=9AF96975D581EA5204D7B7653334EBF478B0794904D13785EB77B133DE5C6797,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:20.027{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61615-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001039504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:18.799{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse93.89.190.250-54784-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001039503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:21.687{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=959C3A562D781CBC60EC5E108E3404DD,SHA256=F772DE822DE5066E21AEB4EE195FF03B22F4592909F2330DD16EF7B1496A303A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:22.767{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEC9957E36A645BDCBC1230486E823E5,SHA256=3FAA3C59FE26ECE0212020AC5724405DB3461A1E9F48AD0538E20F25DF48F96E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:22.471{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=977469DD76ACAB97C82E5C6A177CCA31,SHA256=0E4A37AB36B14CC4433F9EA0517E0303B1722A1C5873F457E0AF0C94D69A0F2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:22.283{5EBD8912-7F30-614D-0D00-00000000FC01}8886076C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001039511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:23.774{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2FC7DE11C0C8CC91F6EB36CE23C6FC7,SHA256=A12D5C952056A0BC1070A15A194DA7DA8F2CA94BEFE79A042872F47AD5E33AA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:23.486{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F15D5BEC5178EC36EE325DE9F7AF2BF5,SHA256=81F3919D22EC50433CC5465FB24A5C802294BE840BA5CB2E4BE6BF767BD3C836,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:21.673{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-53601-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001039509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:23.334{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1ACED85D0588CA2937B3F4B46979D3D9,SHA256=D7683519CE8BB3C6611FB86252039196BDB3EE8207B1924865DC235A333B3690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:23.377{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46349E3A602F8D7E6894BA91A534A719,SHA256=4D9B7EECFB1B7A2A9988E3314D6066CB7FDA219EBAF2756D59FC516EB887C450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:23.377{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=444B14F990047467FEC36A0398C76C3C,SHA256=340DAFE7653D5B4C6A5BD8BF0E71E27F2A9C1CF54E03235242CC8ADC8EEC1DCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:20.305{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62545-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001039519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:22.768{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52894-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001039518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:24.782{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=056FCB2887657062608CC73ECA93C0FD,SHA256=6957345EC34B085406B709AA4C7E400199FE378E0B9E0409243650351E7BFD77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:24.486{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B41DFF0C2395D61FE33D3F49F555722,SHA256=59C0DB6BE022489C644DA0814A59118AF2BABEB9E0C450B4E6990407019443CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:24.599{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=03E86C38560DE3E965FFE81E80496928,SHA256=E7F33CF98CAC5DAE0B680BE229AEAB913F2292B6E30BBFC428BA157FE5064C57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:24.598{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=62FBFB5F1ED5316F5F6D355E12CFDFDF,SHA256=7221A356315286AEA7D90A972718A831CFFA600A75D2C1A21DC90BD510A822CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:24.597{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=EF2AE11A645D62F2AF7691AE96C008A1,SHA256=5A1CC98C242C704C3328E0C3360CED90E4091B77129E1E1FF17DB8E138B84B31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:24.596{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=3F0672443CCD8ABC53C367DD49E72716,SHA256=D6792BCBE5E217EAD05A8330B81A3544CD90C5B5AE4C1A1437596B5C921CA41F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:24.594{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=C53660EE55B287EC6C4E396CFDAFECB2,SHA256=04009EB5EA4D94C5A305806D31907C913C86BD4B18877283A9AA07EF5B95B529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:24.593{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=E6F7177C0045E2B097C206D90AB1717D,SHA256=4AAF3EC04011D5E2C26A002485CDA3D8CC25EA28F0479EF33AA18DC094D3A140,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:20.885{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58873-false10.0.1.12-8000- 23542300x80000000000000001039522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:25.835{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9AC80D107AD98EBBDAC8ED461A9E68A,SHA256=37BA7897FB818E821A5EECF524777D8111F8F53BFE8128B7061A8D45A6CA350B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:24.190{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-56025-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001039520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:25.788{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F882CF70EA8B5571415A59819C2E62AA,SHA256=0625DA090840401A53CC107D97BE65A301EE20FDECD4A20F8E9FDF79AB90EAA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:25.502{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C69BAC9E5A1974A603F41F1978E7941,SHA256=5CC52B17E84630F4324F0B40A6C451480CCA33B9F5A61BF8C978B11BBBF49D48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:26.798{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8796B1FFD699816E1EA4FB833251E4D,SHA256=DDE8F7200454CDED8447FE62EF6CA73FEF4525F1E97EC93B823D6441749A401C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:26.893{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-80E6-6151-9778-00000000FD01}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:26.893{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:26.893{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:26.893{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:26.893{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:26.893{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:26.893{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:26.893{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:26.893{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:26.893{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:26.893{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-80E6-6151-9778-00000000FD01}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:26.893{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-80E6-6151-9778-00000000FD01}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:26.878{69CF5F33-80E6-6151-9778-00000000FD01}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000969493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:26.518{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B13624F44CDE75AEB7B93DC400DC9A,SHA256=FC9CE7D44B169579F538C292533F1FEB8CD22E940FC64C203BA33F9859C00A7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:26.409{69CF5F33-80E6-6151-9678-00000000FD01}1328212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:26.205{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-80E6-6151-9678-00000000FD01}1328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:26.205{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:26.205{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:26.205{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:26.205{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:26.205{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:26.205{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:26.205{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:26.205{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:26.205{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:26.205{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-80E6-6151-9678-00000000FD01}1328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:26.205{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-80E6-6151-9678-00000000FD01}1328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:26.190{69CF5F33-80E6-6151-9678-00000000FD01}1328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001039525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:27.929{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4266MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:27.908{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F367D7A5ADD82532622C04D696994E91,SHA256=24359105748F62B8AB39E073BF49F434E0B61708A3A324C363BFF8815A4A72A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:27.580{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-80E7-6151-9878-00000000FD01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:27.580{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:27.580{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:27.580{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:27.580{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:27.580{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:27.580{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:27.580{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:27.580{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:27.580{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:27.580{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-80E7-6151-9878-00000000FD01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:27.580{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-80E7-6151-9878-00000000FD01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:27.565{69CF5F33-80E7-6151-9878-00000000FD01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000969509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:27.518{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F6FD338172EA17AF0F3CC9D0EFB265,SHA256=1B34BE541AE069DEF339B62E5C7A87550D751F9D10BB6E3032CC65C42F44ED5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:27.236{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46349E3A602F8D7E6894BA91A534A719,SHA256=4D9B7EECFB1B7A2A9988E3314D6066CB7FDA219EBAF2756D59FC516EB887C450,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:27.111{69CF5F33-80E6-6151-9778-00000000FD01}36003056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001039528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:28.941{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4267MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:28.918{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=505915BC61BEE74596D2AE44C4262640,SHA256=F96ACD3AB6FAA70A8DE9000CCF772B98A47FDD7875450659275E13E65EAFA211,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:28.783{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-80E8-6151-9A78-00000000FD01}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000969550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:28.783{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C289DC7A4BBA3804958D59FE86BB634,SHA256=C24862C9E227899BF6EED42765E985C5D23C03825FE798529DF2311F0373CC01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:28.783{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EC7E890C490803F5C331ACACEBDF4BA,SHA256=77D7F706CEE27D64D90ECBA77559022204F29E5E0FAF7520F1C0285BE6EB2656,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:28.783{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:28.783{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:28.783{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:28.783{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:28.783{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:28.783{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:28.783{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:28.783{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:28.783{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:28.783{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-80E8-6151-9A78-00000000FD01}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:28.768{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-80E8-6151-9A78-00000000FD01}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:28.768{69CF5F33-80E8-6151-9A78-00000000FD01}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001039526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:28.764{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x8000000000000000969536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:28.408{69CF5F33-80E8-6151-9978-00000000FD01}340712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:28.268{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-80E8-6151-9978-00000000FD01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:28.268{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:28.268{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:28.252{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:28.252{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:28.252{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:28.252{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:28.252{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:28.252{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:28.252{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:28.252{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-80E8-6151-9978-00000000FD01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:28.252{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-80E8-6151-9978-00000000FD01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:28.253{69CF5F33-80E8-6151-9978-00000000FD01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000969568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:29.971{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BA1BEE4216DE21E997D76C813D65C0D,SHA256=78C92BE7686BC833B2B2EF86EF11DF28423B0CD06A806EDD2E85F1A49B39814E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:29.960{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA58DB546BDC228B6623A19A55E2B32B,SHA256=967FC22D2B899945998FCA7FEC9CAD8AD63D4B709DBE2018766ECF870C0C8355,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:27.808{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52895-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000969567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:29.768{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0430D01011422CA765A286604B8F4E09,SHA256=DC45F261B8B687F28B665D38F1752CB80E1A1D83DAFB0158E165EED24D453C4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:29.658{69CF5F33-80E9-6151-9B78-00000000FD01}30282504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:29.471{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-80E9-6151-9B78-00000000FD01}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:29.471{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:29.471{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:29.471{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:29.471{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:29.471{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:29.471{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:29.471{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:29.471{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:29.471{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:29.471{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-80E9-6151-9B78-00000000FD01}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:29.471{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-80E9-6151-9B78-00000000FD01}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:29.456{69CF5F33-80E9-6151-9B78-00000000FD01}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000969552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:26.729{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58874-false10.0.1.12-8000- 10341000x80000000000000001039660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.984{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.984{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.968{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.953{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 354300x8000000000000000969569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:27.223{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50533-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001039656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.953{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.953{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.953{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.953{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.937{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.937{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.921{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.921{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.921{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.921{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.921{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.919{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.917{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.900{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.900{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.900{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.900{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.900{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.900{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 23542300x80000000000000001039637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.900{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81DB9ABA553AB7FA741593A28791EB69,SHA256=B06D5FAFDC45798E333E749E490426298AFE378C6427058C20A9777AF100FEFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.884{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.884{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.868{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.868{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.868{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.868{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.853{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.853{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.853{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.853{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.837{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 23542300x80000000000000001039625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.837{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4513005B0D95719A9EA271D05F304C88,SHA256=975A3AD7700AEEC40F1175473E387C35615E3D6CD4717962FB8A34F3595A4B75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.821{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.800{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.800{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.784{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.784{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.784{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.768{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.768{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.768{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.768{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.768{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.768{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.753{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.753{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.753{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.753{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.753{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.753{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.753{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.737{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.737{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.737{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.721{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.721{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.721{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.720{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.717{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.700{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.700{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.684{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.684{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.684{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.668{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.668{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.653{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.653{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.637{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.637{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.637{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 23542300x80000000000000001039585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.637{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DF3B58201B9CE02CB7A1DD95BE6D6A2,SHA256=0F03A5B32A68BCED1E3F1A5B8FD8D76E0279CD1CAE290F75C887E877FAB02F9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.622{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.621{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.600{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.600{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.584{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.584{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.569{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.569{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.569{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.569{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.569{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.569{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.553{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.553{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.553{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.553{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.553{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.553{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.537{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.537{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.522{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.522{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.522{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.522{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.521{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 23542300x80000000000000001039559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.517{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A78ACB3B0455C3E0CBCB478626B04488,SHA256=6028BD32EDDA7F6FA8AE5D13D12BEF1FE980FB79CA0BF1A0F93F77270539448C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.517{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.499{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.499{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.437{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.437{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.437{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.421{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.421{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.419{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.400{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.400{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.384{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.368{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.368{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.353{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.337{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.337{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.321{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.321{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.321{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.321{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.321{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.321{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.318{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.300{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.300{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.300{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.300{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 23542300x80000000000000001039820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.974{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5E9333588C92591722FB88F82EF700,SHA256=EFCAF854EF04998A938FF7A6FED6BFD208178ED1B58DEF9D072F9B0CD91AF35F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:27.971{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59724-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:31.002{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF56312D45DD8F56F3B00C5E54A04A28,SHA256=67AC528420DB703FFB727A0D90950EC9622073E01D220A9921CBD0EFC24934C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.653{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEEB10D1AD757D5705929CDA7E894DB1,SHA256=552D708AB420D342A1391CCDC4BD6B03F81F7FAE9D8C557978F67D1350EA34C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.621{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.621{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.621{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.618{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.615{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.600{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.600{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.600{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.584{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.584{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.584{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.584{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.584{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.568{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.568{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.568{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.568{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.568{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.553{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.553{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.553{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.553{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.553{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.537{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.537{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.537{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.537{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.537{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 23542300x80000000000000001039790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.537{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE545B3F54C13BCA735223FADC07499A,SHA256=A27D91A9F4AB593990C9C39D6E79C69B4D434A5A201B3286A1F5C1070E4E9922,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.537{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.521{5EBD8912-80DB-6151-F378-00000000FC01}19326912C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.515{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.499{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.499{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.484{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.484{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.484{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.484{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.484{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.452{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.452{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.452{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.452{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.437{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.437{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.437{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.437{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.437{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 23542300x80000000000000001039770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.437{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3F64B1B4774325D612BBEAC94F5264D,SHA256=1306E851AA5D3DD4E94204EE3975C99D33E62C7EFFE42FEA87E53FD6126F8448,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.437{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.399{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.399{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.399{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.399{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.399{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.384{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.384{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.368{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.368{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.368{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.368{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.368{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.352{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.352{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.352{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.337{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.337{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.337{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.337{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.337{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.337{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.321{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.321{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.299{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.299{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.299{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.284{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 23542300x80000000000000001039741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.284{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7B281625BF0CD2BE81BDA9F115E585,SHA256=D8409395F7650A58DAB64A9050C482B1498CF289BBD93284057F4D2BDBDF1F1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.268{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.268{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.268{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.268{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.253{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.253{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.253{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.253{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.253{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.237{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.237{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.237{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.237{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.237{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 23542300x80000000000000001039726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.237{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9041C2A85D3FDF8CDB84C6DA3153466E,SHA256=5FD0B5C9C2B8046DAA589343574B962F90B197AB0E7D21A11AB1A82071F6C31E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.237{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.221{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.221{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.221{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.221{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.221{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.221{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.221{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.219{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.217{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.215{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.199{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.199{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.199{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.199{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.199{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.184{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.184{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.184{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.168{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.168{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.168{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.168{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.168{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.168{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.168{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.152{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.152{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.152{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.152{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.152{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.137{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.137{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.137{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 23542300x80000000000000001039691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.137{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E59A0B14688234F6716C037DFC2530D,SHA256=BFDC9A8A6543B5F10AC32E352DD2CE0CF36BDEFE4D488E7F904C3CCD975015B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.121{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.121{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.121{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.099{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.084{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.084{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.084{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.084{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.068{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.068{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.068{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.068{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.068{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.053{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.053{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.053{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.053{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.053{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.053{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.037{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.037{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.037{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.037{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.037{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.021{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.021{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.017{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.999{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.999{5EBD8912-80DB-6151-F378-00000000FC01}19325436C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 23542300x80000000000000001039661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:30.999{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E01A06ED7246600D654DA6E8C54D226,SHA256=CCD12D78E26ECB26BE419C83A617A5804BECC06421277FCA0BE74E5AAB3BF97B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:32.981{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58D682B2FFD18782033E93C792BA153B,SHA256=6E9FEF0A47C8E88B048FC4D7B08984335BA1D6DF03F62DACFA0BED0538365091,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:29.238{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de50844-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:32.252{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AF87BFD7B9B630C7EC3FA4BB9540F55,SHA256=BF8ED7338E9828C32F87CF7D0C0F577D838C6ECF6C70287B58FD2BFF3F5435D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:32.221{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C7A2DE65AEB590664D94770B3575520F,SHA256=4E5098E7A250BE397B58FDF9C2AA7FD72016C54629A0585349A9BDC7458FA17A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:32.205{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D59A6C71913DF0F6477DDEAC557F51F5,SHA256=7F67EDB766623C3F40E02CEFEE0093BC9AE8E7570B36934C9EBE2D97F6372684,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:30.564{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61713-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:33.471{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12CAF0AB50CA8565DE4CE5ABE7FDF9AA,SHA256=716F99290D8BBFC6AD0ACF515414B9BB94AE706BF19EF091B1C0BC5EEFD39451,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.991{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52900-false104.109.93.180a104-109-93-180.deploy.static.akamaitechnologies.com80http 354300x80000000000000001039826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.895{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52899-false104.109.93.180a104-109-93-180.deploy.static.akamaitechnologies.com80http 354300x80000000000000001039825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.798{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52898-false104.109.93.180a104-109-93-180.deploy.static.akamaitechnologies.com80http 354300x80000000000000001039824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.703{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52897-false52.188.50.245-80http 354300x80000000000000001039823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.611{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52896-false104.109.93.180a104-109-93-180.deploy.static.akamaitechnologies.com80http 354300x80000000000000001039822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:31.608{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57326- 23542300x8000000000000000969576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:33.221{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92A415C537DB0513B47937FAE26939DF,SHA256=D09A3BEB4BADD411D188041DF45E22D6ABDC639614A195160F7619054FC13CD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:34.580{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0D3AC2C41BECB94BAF3F65FF3FA7D38,SHA256=66CC0FBF89495E5C8FFDC4D6E3A935342699DF7BFC337E3E14F9F8627D82E0D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:33.997{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5868BFD494D174DF5BF49D2CFDE6EEAC,SHA256=1F8DFB2426B9482B1D779C2C84F5DF28CD6C39F4736F02AE0638857C1ABB3390,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:32.713{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58875-false10.0.1.12-8000- 23542300x8000000000000000969580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:35.596{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD6D331F8F88154163576B2A801B9A5E,SHA256=135EF81AEF09E8C3F5CC37385B210DD1C9D4E5CBCB20167F57CA56D444F36072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:35.611{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:35.011{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94EAD45AF43FCF883D102FB64935A8B0,SHA256=61D954AD3F287D090072103906A1CF7A218CE9A55E1E3A0E73C1B54B31C12DE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:36.611{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7661F7913D935DBEA77E06ECDD88816E,SHA256=10C97AAFEC31FE67136E8043E0E073F698384E7063FC619628E16A5A71D4AAE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:33.489{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52792- 23542300x80000000000000001039831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:36.044{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71CB25B68CC7649F8EECE8993D419492,SHA256=E4B52ECED192B399385E14C595BDE72EC2E1447DBF1B4D035A94B81420519672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:37.627{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D92F1104C204E2E5E3CFAF0548BB162,SHA256=C7704D7AA21170152A9814B10EB7AB0429FAA841B38B611FD97661D3CA582765,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:35.287{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52902-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001039834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:33.804{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52901-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001039833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:37.062{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68FA311D60C533F29D804C4ABD55BEC6,SHA256=56990B9C0EE3D45A881C79E92421742AF526038015D5A797737FABE594E8E1F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:38.643{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AB9AE7F2161ED79C8218688A41D67BB,SHA256=28F61DB2CB91770F77A9D82BAC88D2DA4C843A6CBF0D1E4BD861FB5E122DF3F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:38.908{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=49AA6827C06F0BA95683AF73A8AEB798,SHA256=8FD5E2FA1AB62575A44B00DCAD8E81FD0CD5CC6549A7BA92794FE880229F94E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:38.077{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BFF9D1A2D4E1532A2CE524AFE7E4226,SHA256=AC02D5A954B6AA2E4B23A52219ED43D2D3F5DF176D7B6C4150F1338CEFDF9CE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:38.439{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-80F2-6151-9C78-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:38.439{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:38.439{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:38.439{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:38.439{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:38.439{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:38.439{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:38.439{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:38.424{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:38.424{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:38.424{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-80F2-6151-9C78-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:38.424{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-80F2-6151-9C78-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:38.424{69CF5F33-80F2-6151-9C78-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000969600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:39.752{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0F6F0AD4FE171C16AEE5770B8B6B9A,SHA256=B6A38300A8F97126C1757C022942941D749CCEE37B819D83E33799EA46C785C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:37.252{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55890-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001039838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:39.092{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1266DE6C13B3FC61F6122E00F0364020,SHA256=728AE7F4DCB9401EDE9A540705A755B40BC334C3A6486E9F8BB4F289D3CF5CE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:39.643{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47DF6F867CD1E33F42522FF72678FDC1,SHA256=7A18B52A102AAA1BBE5D430B2C580922BA9819035F63673C49B548F54FB44E14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:39.643{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A9053E2ABE7D597B73A9E218F14F1F4,SHA256=C8EF0A89189947CC68CB5756D6A03CD4409825F89C9E95AE7F18D161E2DA89A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:40.767{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E226724D3577D6F8FC44FDBE1EBD97BE,SHA256=FC3D06BA3BD99DB4CFE2BF8C083CC09985EDAF7CAA175BFEAF34223633FA5FE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:40.108{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFE5DA3B006100C8F59DB5595CD68CDF,SHA256=C86F502AC708419B7EED6478130736FD22EE18AAA5B8F2331170ED6836410B0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:40.108{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C330D82CF283A819AD57031F7E69AF62,SHA256=26B16DDFCF805B8E4C33DB4CB4794E8F9FB0E3EDC7D4418B5C7EDDEA5836C5A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:40.108{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EE14F11D0AF10C70D703001F46EDC95,SHA256=9787A364B0B71A64164EF31B76D51B3300B7A7928324A56034DCC32598D48137,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:41.990{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3319BADD46EA2F040884DFE8EA97213F,SHA256=04E3334C62F0F16E12C45778FEE318E5B1DA91C4BE04F52A898FFBE941BF2FF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:39.677{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57358-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001039845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:38.952{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52903-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001039844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:41.476{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFE5DA3B006100C8F59DB5595CD68CDF,SHA256=C86F502AC708419B7EED6478130736FD22EE18AAA5B8F2331170ED6836410B0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:41.108{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D866993A1A7E0FB6CBF85C067AA0D3B3,SHA256=3B2175AD6A3A076D77C6EEDD138214D2FC212E7A19FC4AB411384596B3F931BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:37.885{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58876-false10.0.1.12-8000- 23542300x80000000000000001039847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:42.207{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25261EB2EB437FB81BF655655FFCF07A,SHA256=452AC0B6636115F41BAD6D1A1F7033DCEDEBBDEF2C2266E2E3B0031565D8C957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:43.222{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05C935BBBCCC6E9EFFA4D89930BC2327,SHA256=359C3A264B3558480307C2F315A70BB567111533D8B6D2A8C58B120D37430793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:43.100{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C631D7EAE758B5536CA85EC4345CCB0,SHA256=8FD718139DFB3C5E6694AA9CA78B722B997DE694FBBA3921B952C2495117B34C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:44.334{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BE3C584C0377A36B145D5951B049A97,SHA256=A0F6F8F4C35FCEABC8766B31064C78CDEEAB9BA4E8CF74FCA16C80465967F942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:44.258{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EF1674F198AEB0C5D2ACC1F575BD691,SHA256=E2CB25C16E9C3EF03D96DD9A41CE0BA92D535A1C079E370E22008C42C2595F95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:45.569{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B07F60CEF78488B9ECD088C1B14EBA,SHA256=F2B9360E1465B9E0184D8FC2BEEEE04CD7F4238B94432110295E4241EAB99746,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.858{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.858{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.858{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.858{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.858{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.858{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.858{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.858{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.858{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.858{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.858{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.858{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.858{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.858{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.858{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.858{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.858{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.858{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.858{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.858{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.858{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.858{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.858{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.858{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.858{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.858{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.858{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.858{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.858{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.789{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-80F9-6151-F578-00000000FC01}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.789{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.789{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.789{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.789{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.789{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-80F9-6151-F578-00000000FC01}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001039860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.789{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-80F9-6151-F578-00000000FC01}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001039859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.774{5EBD8912-80F9-6151-F578-00000000FC01}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001039858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.305{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=674D3206899E7C1EB98E5A34684C559B,SHA256=363DAACA9532007F2C5AB4CF4FA875D6014B652E92A5F99C99BA503BBA604A06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.104{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-80F9-6151-F478-00000000FC01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.104{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.104{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.104{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.104{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.104{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-80F9-6151-F478-00000000FC01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001039851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.104{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-80F9-6151-F478-00000000FC01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001039850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.089{5EBD8912-80F9-6151-F478-00000000FC01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000969609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:43.861{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58877-false10.0.1.12-8000- 354300x8000000000000000969608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:43.532{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.140.250.162-59099-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:46.725{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B405C70C4EFB16A55A10F9DB9A289D,SHA256=673777822E26040ECD5663169669AA848DD239C08DD20DC81CA0D8AA422DBC4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:46.604{5EBD8912-80FA-6151-F678-00000000FC01}51607136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001039906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:44.949{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52904-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001039905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:46.389{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-80FA-6151-F678-00000000FC01}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:46.389{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:46.389{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:46.389{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:46.389{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:46.389{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-80FA-6151-F678-00000000FC01}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001039899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:46.389{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-80FA-6151-F678-00000000FC01}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001039898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:46.376{5EBD8912-80FA-6151-F678-00000000FC01}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001039897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:46.373{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F20402F9CCC9291011C137C13DF54149,SHA256=2939E87F0BCEC00EE1E35C8AC61661941B10BDF341001B7699E37556BA1F96C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:46.105{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E5E4DF022562786096E8150A7113767,SHA256=BBAC840445D0673D6EEA967D977B343D38A5642EFC28CF91D12FEFF5B69A2006,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:44.656{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com7058-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:47.741{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFB1B40C205A6F5040FC2B1D599CE9C5,SHA256=309B079C3632AD88A2C0873BEECC5975CEFC84E67A5EECAE20DE0EDAD208D457,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:45.524{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57665-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001039909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:47.374{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF73DD8C4AE455CE9E4CBCDEA691A72F,SHA256=4E85C2DD24542AE20A97AC4604EEDB91F532644D49D205AFD8E668ECC92BDFFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:47.662{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F0DDBC69EE01C4532A70A80D93287F8,SHA256=33B2EA06214F9703689D58B5A34E86EB7BCAB9F11AD934C46B65ECCA6B8D9148,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:47.662{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47DF6F867CD1E33F42522FF72678FDC1,SHA256=7A18B52A102AAA1BBE5D430B2C580922BA9819035F63673C49B548F54FB44E14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:47.174{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CED1B09D078BD8EB61DCB1414A784EAF,SHA256=914593775236D7D1B268B8F4A63EEF95404833D51FCC30898189AB5FB3DA2552,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:45.195{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-542.attackrange.local56545-false10.0.1.14-53domain 354300x8000000000000000969615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:45.186{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c8a0:5491:e98:ffff-56545-truea00:10e:0:0:0:0:0:0-53domain 23542300x8000000000000000969614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:48.756{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FA5C1FDF74D2EEE4F85E835F10F1083,SHA256=D0BA51F292DAA10E253B0795F43EEB3F7799CA7D9944C4896D6E195E7BFC193B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:46.248{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-56545- 23542300x80000000000000001039911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:48.388{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E11D074A055B3AE48111EE04F1528418,SHA256=6E6A68D7F235273243B3497E9CF9C49AA146F077BE8A58A0861D4972F6597465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:49.912{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=365A890037333C89F326390D5809FA02,SHA256=97A2876A02C4485647E5F1A8EF8B43DE7AE87394B69D93AB97D58061F34D4E2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:49.673{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=FF9BB1010C2E466F9C62CB5A97136DAA,SHA256=B3CF5D57A84C7B3B404199C654A79B787F48E4B7623C85DB5EB6A538909E2DE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:49.673{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=76E7C507FD4A901368333DC4452E1F1D,SHA256=EB3FD1F9587B3F9BF7DD032BF40C03641CC633A9AC88542C2DCA6749DD367E95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:49.673{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=F311FDB37560C4B183D7BF56825B8986,SHA256=39F9FA1117375B7D2AF6C8398F5A23FD998F0519494008ECF919E4DB1A9C416B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:49.673{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=879FE32A4A9AB52A453A192AF1B5F55E,SHA256=3944045328CF254214C1E008393433B6398954A8B9719175ABE96710B788C9DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:49.673{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=CD77833486278C422DFF191F0CC6284B,SHA256=C89658E8AAC227E583110DBC06339FD8E095D4872F37B712C748405828170794,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:49.673{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=36BFB5321C44F203957E66E32C931930,SHA256=A8CB3928E1F784C6EC862B7181F6DD87BB3E2AA08548FC6A929FF604549DE879,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:46.949{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com9534-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001039915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:46.359{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-58878-false10.0.1.14win-dc-429.attackrange.local49672- 23542300x80000000000000001039914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:49.538{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45FC65F652B62E0B6A9886519DC52094,SHA256=CCC86F7AA8F38664826CD543ED97A83357F55A9ED218CC1E9F477E6B6994170D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:49.388{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39AE0DC299C1FDC238B4BB1F43C8E817,SHA256=DA3BD6961D92943FCB9A5149652B13F88230C585831414DA6B25A1BB181CC520,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:45.305{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58878-false10.0.1.14-49672- 23542300x8000000000000000969621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:50.928{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56D91C8214F04CD37E795EA17B1AE56F,SHA256=AA00BA2B4DD0B029048DF33D25053DE4C2899EF52184D015BEE3479BE853F8B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:50.405{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DF3170E935479F03DE9EADC26950E86,SHA256=35183B8F1AB356D166792AE9B559644525BF6AAA2405D612313C91B96005C0E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:47.433{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62737-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:50.287{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F0DDBC69EE01C4532A70A80D93287F8,SHA256=33B2EA06214F9703689D58B5A34E86EB7BCAB9F11AD934C46B65ECCA6B8D9148,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:51.872{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51A1FAFA30D5AA16D17B5F321DED0E87,SHA256=E6E9518B7295489298832512D41415962B87C41776D949B966E7394653089221,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:51.419{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB4DCB185A01E289F64D3850BF8E7E66,SHA256=FC059214D4D97DDC13D6CEFFCB9504E04B173A041FC823A19A41117558E30236,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:47.990{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63147-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001039927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:49.531{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63448-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001039926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:52.487{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E81D0670F341F61C74E1943B41DDA705,SHA256=C254238898532E0B530480995CFB3984F7EE221DF0FD17158AD047E632BF3DF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:49.827{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58879-false10.0.1.12-8000- 23542300x8000000000000000969623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:52.022{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2315C8C8CAD704E5C160D6F8BB3EA63,SHA256=3C12EA1775C41352C0AE7284CA53741FB281A33CBA9257DCE44EBF6049CBBDA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:53.901{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3CD0799B2536FBE805B001B9C6C1900,SHA256=138816355C852545A52DE5565F090FE96446CDAC3E8AF09852B766E0D5C7A180,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:51.708{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64871-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001039929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:50.711{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52905-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001039928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:53.501{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3271C78946AE37D3EDA325C903420AA,SHA256=39ED274A91CFFFAD0DB12511CF0B62517F618DBA8901654B52C686333732172F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:53.053{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E015970BD6CAF7A810D0DA166D867622,SHA256=93F384CFC6AC8513E376B6D2A596A854A0C1129F7FAF7C0E2660B1B671ECAB39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:54.784{5EBD8912-8102-6151-F778-00000000FC01}56126936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001039940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:54.615{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=760A6C33AE875D1C3308631FBFA7DFC2,SHA256=91CCEF237C1E2F45B707550958E23516ED79E4B6B00BA0E1EBD7E41B5A4E5556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:54.584{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F28157D0931955A398C44C4F982BF70,SHA256=8906FDA0D162596203AB24C940281E8FA1B4BE306746778A9F0B7ACBB0A9451E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:54.104{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D535E6A6AF0928900EA4F12033E60BB,SHA256=E8958C7C2123A52DC196106870D4805D0465684AB24C88B13475B13EA6AC35F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:54.600{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8102-6151-F778-00000000FC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:54.600{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:54.600{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:54.600{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:54.600{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:54.600{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8102-6151-F778-00000000FC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001039933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:54.600{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8102-6151-F778-00000000FC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001039932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:54.585{5EBD8912-8102-6151-F778-00000000FC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001039960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:55.984{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8103-6151-F978-00000000FC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:55.984{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:55.984{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:55.984{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:55.984{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:55.984{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8103-6151-F978-00000000FC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001039954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:55.984{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8103-6151-F978-00000000FC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001039953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:55.969{5EBD8912-8103-6151-F978-00000000FC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001039952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:55.700{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B5B03C8BAC55FF7D7774B10017839CB,SHA256=7AF44D0074B926DF34E1A0060FC4E60D5C2C5776ABA5DCEB128E4F71D52AA1A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:55.147{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F6D391AFA45C7B512B04276B4B45DB5,SHA256=CEC36DE4DA71F1D72A878A51D9655E4215F704F092206400C38B16A06FC18971,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:55.600{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89168FAC76FDCB3BB586B253C405761B,SHA256=229CA741229B31A04446A5DDDC2D03AE1F3986D720F1F0DE3C5F1AAA454943E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:55.484{5EBD8912-8103-6151-F878-00000000FC01}51364480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:55.284{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8103-6151-F878-00000000FC01}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:55.284{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:55.284{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:55.284{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:55.284{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:55.284{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8103-6151-F878-00000000FC01}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001039943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:55.284{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8103-6151-F878-00000000FC01}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001039942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:55.269{5EBD8912-8103-6151-F878-00000000FC01}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000969628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:51.866{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62909-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001039971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:56.984{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D09642932401AAAB0818659489E670A,SHA256=B7095D7CD4118A42A234FB1D364A9C3F2BDF11481D0391F8FF5A09D91DC2725E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:56.717{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=035BA43DCA01C7F5256C035A8249E56B,SHA256=3CE26673C97C5B3A912EE3E1C9F5F1F5B2062BE243635B50EB4647EFCBDC6A95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:56.303{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA5739DB7BB594B432913C6434110FCE,SHA256=46F2DB382DA48B3CD88078FB7AA00C25825360C448F8B9DF4F55EDC47F357955,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:56.668{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8104-6151-FA78-00000000FC01}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:56.668{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:56.668{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:56.668{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:56.668{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:56.668{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8104-6151-FA78-00000000FC01}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001039963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:56.668{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8104-6151-FA78-00000000FC01}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001039962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:56.653{5EBD8912-8104-6151-FA78-00000000FC01}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001039961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:56.168{5EBD8912-8103-6151-F978-00000000FC01}41684828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001039973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:55.891{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52906-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001039972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:57.733{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39B56F3DA964A744BA8FC9871560F037,SHA256=5EDAE504800709CD82B5BF7A24A713907F9417DEFC9636D775F498A9153DB614,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:57.537{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A2CB9609D0F6320F3A9AEB34507063C,SHA256=71A81D0E3141ED82516903D2522930CAD7B03C41118F4133C206DDD9AC521CF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:58.953{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CAB437CE00DDD3A386F5EB3AE9C40A5,SHA256=F4C0046B8E0EBDE5CDD476091C83F44F0403FBA8400F58E050B06E5FBF123BB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:58.756{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB652B4B5FACA94ED45EE59F1FEAA49,SHA256=680B907449805B65FAFE5847740A555E30054F0956E44F4B3B3E61BCB5F4A5F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:54.843{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58880-false10.0.1.12-8000- 23542300x8000000000000000969634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:59.803{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD377675838E5622532613E72E773C3C,SHA256=47293DFB0827CC8837A5EA2AC7B27C31D182F60E6EDD1A8E5A49F089DA775C6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:00.996{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4267MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:00.821{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA5CD2FA17033DD5C16B006462DD82F9,SHA256=842E606ECA153DDC0EAC1AE942E6ACAFE3DB0043D0662EC3298238E326014509,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:58.562{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52593-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001039976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:00.183{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=165FE7B075ED170D6214810A4731AF7D,SHA256=9C5BB624AF87CBEB500EF524821BB55B3FB46CB486EA300EFA1C4EE3BDD06962,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:00.083{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10A26FC19D2ACD1DFF7745CF2F87079D,SHA256=0F82E28F28ED724D9232FAC37E7438B2366F7B926854DAC30661C57D6393CE5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:01.898{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B30B1B73FD4011D7430144C949F7C4F,SHA256=9437FB885BDA34F074E8656189A4B06F80A9AF4D79C5DE24F2CE721D3FA2E349,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:01.099{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6736112CDD9351C009E66CEC38D46D7F,SHA256=847DFF7F3F20E4BF1BC7B3DC616F823D5E6FDAB93027F141FF208C63C949367B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:02.898{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E63A1A311EF92B8CF1FD564B664672E4,SHA256=CEA73F8E49F014E4E3352B397CE14F26C11A7197BBE89E748D43E79DA5512329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:02.151{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23871AF442C319C12212BC4A1307C22,SHA256=0C1464FD946BAC1D6A4686EA8BA92EC0940BAAB98E791277786DA7931C210823,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:59.983{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54166-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000969641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:59.552{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53908-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:02.427{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B77DE6880EB1615D822FFECB94ACCF1E,SHA256=9DC1E51DC0D51FA46E4DAB6231F5BF47C7C4045BAA2C47EE4A5A716F97F8D1CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:02.427{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC8D2C9597335C773F19FC9DAC1E3882,SHA256=F3B923045A593505CDCAB3CFCC89F4B45BC533D0BCEC8BACDB6FB9A9D46AA5AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:02.008{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4268MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:03.914{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE83757B4CDBEF250DF7D87794D8CB60,SHA256=A198C5A71B6E4B116C4AF37DA7D300F62E2EDE5B350FBBB69F1B9D10B5BDFA85,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:01.758{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52907-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001039982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:01.726{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54200-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001039981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:03.366{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88DC58783EBFC2F20F94DB9B90EBA73B,SHA256=EE9515B02299A5904B3A1DF7B4B106ACCA20FE09C6E0373EFA7E703502D74CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:03.181{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9118CCDD67A031B278C7C048FB9C8D2A,SHA256=53E7F79B63D58D8511B35F341E467F7127DADBE4AE36C61D2F839E6FE109CE61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:03.852{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B77DE6880EB1615D822FFECB94ACCF1E,SHA256=9DC1E51DC0D51FA46E4DAB6231F5BF47C7C4045BAA2C47EE4A5A716F97F8D1CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:00.842{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58881-false10.0.1.12-8000- 23542300x8000000000000000969647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:04.930{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23385F0B013817303CC5B305B8F41AF3,SHA256=BFA7627CD726FB508E1A0E108086F13F8AF363E4B892321EE8FF7DA8533175FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:04.880{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2401E02FB8A28285A807BFD9B8E144C,SHA256=02FD7B7876F9000BE9A913254368F0F33CD1F9883BDF282ED1948D4DAA240829,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:02.817{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-63701-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001039984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:04.196{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22566D564C82D896B536E187E3F4816,SHA256=D171C348197DE153EB1A2280886E0DBA95869A755A2FBC0F49305809D8013A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:05.945{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E5F177DF23A3A09ACB6342825BC7CEB,SHA256=3E6BE66338EBC2AA9D4ECAC14E6FA39B91BB54C51E3EEE0339AB5A595D05468D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:05.910{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB7627BA37BCB0A59EC82454CF910AFF,SHA256=97DA828E5352023EB8B8EED4954980A1446598BFEF1DC109EFA36E522E00AF9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:04.260{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-56295-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001039987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:05.211{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4690F5ED44B97D6993F0CE8F68B4456,SHA256=F5CCCD8DC074459B2D8CD7957685D2D9C61656A3B8158CB1003EFBF16A9A60DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:06.945{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA8EF93E6694E9B7F7EA2836BA657203,SHA256=F7BF4CED08DC34F964EA02CF3D431F80B98B2FADA6B60104CBC6729FE322F102,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:06.230{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F4B904504940924ED92825323DD3DD4,SHA256=49EF87D6F7EE0A67CF5A1EF960120DE9C6A3D002387F3C82D4747747EB9F02BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:07.961{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4950E78BA628E719676E8042A4DD686,SHA256=07C341DD429681F3475E1EF4ECFCD642DF85A42E899F5390B1FD67D46254E488,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:05.639{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57009-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001039992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:07.327{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76ACF30D6AB831A0D3A7C55A6CCC5FB3,SHA256=1D0FD1C5E8F8E9E8E77101D57E6FAA1FF8287E6A462A23566142B463AFE45B1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:07.246{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66A30F89AFC8758B5BDBDF3A2AF3F31F,SHA256=A6CDA51D3CACC2B16BEDE58444215064767C544BEEE6B09CB909B7A983CD70CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:07.617{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:07.617{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:07.617{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000969655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:08.961{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE8D914356BD69E080E123B8BCA47A1,SHA256=C74AF323372A892ED581F08F006DD5985B970340CE01ECB547743DDB043046B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:06.837{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52908-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001039994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:08.292{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B148ED9F3B2142A228AFDF86B149BC74,SHA256=31B2AC33D5BF018C6D7C8DFA0A6779CEC561F2652F25751D5CC322D07D60375B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:08.820{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66A6C4DA778AD8B8307702D5ED5CC216,SHA256=E10092189B911272845541706153DEAF10A1856F96BACEC4384E144A339FA290,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:09.961{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5DAE27BD4FFBF526F8905FEA54F9D9D,SHA256=4D35811D5DF83462A8B9B90F705738CBAB1D3B155797773961260F892902E139,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:09.307{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D301D6BFA7B4965C46145E95FEC34280,SHA256=3860902363C022A78B7530FA855375C7E35D42F739244C9A21EF57A2E82BC6BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:06.797{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58882-false10.0.1.12-8000- 354300x8000000000000000969656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:05.994{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58002-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:10.977{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEA7256E4EE18F777313C59E2A25ADE9,SHA256=F728E307936CB8D07E69E31A578E1BCF8F2EA82D098CC7F9BC330DBCF26E26BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:10.324{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2830EF03418CBD51C2A394031D539559,SHA256=6F8F91AD11BB732E7A5B740344416C7D264DFDB3C1EBD79CAF5BF5C128569335,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:08.056{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60117-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:10.773{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDD66703D0A45D445BFE25E492189EBB,SHA256=AA7BDF43B03D05A8347A8784C13DA1586ED949BEB8E7956414004DF747FBC747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:11.977{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8698545D13F03FCC648AF112D3F4CCC0,SHA256=4A2A6A28721A5F8178A3890F53CCDA8A0972497CC65419AA6B932A23719B86F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:11.442{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=232DEEAE27AB4471B690D5004C227358,SHA256=E7968A84E7966FA9CB0716057499777B55A2ED00B31B872B21D9C6505338461F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:11.342{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA8C761BA398F62498E3AA58003414D4,SHA256=8B3A1A3D22CCCF57FD226BBC67D5F6DFE72C8C164C3DB36E761A677E97FEB30C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:08.746{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse93.89.190.250-56630-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000969664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:12.992{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0668665C61A69F9D19751A2A889B434F,SHA256=6F12BE6E0914C33D6FC7B6BE6FE0B9D3BBFCE99A2B372E24A15D8CC158C82DA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:12.346{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC932541E82E0F40DB4A4B72FD1B3DC4,SHA256=EC3AA5DEFD196292B4F8637386C95786A589E5056F4A5AA254C8A5D2454B3854,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:12.789{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:13.992{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B26D45C665890EDD3D844D5AB313B9E,SHA256=1EAAC58EDB1810A86743D619D0AD845CCA0651054E64C00A505F345D71D52A52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:13.427{5EBD8912-79BF-6151-DA77-00000000FC01}21523036C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79BF-6151-DC77-00000000FC01}5112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001040003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:13.427{5EBD8912-79BF-6151-DA77-00000000FC01}21523036C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79BF-6151-DC77-00000000FC01}5112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x80000000000000001040002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:13.361{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC4C765273907BD6C46EDAF9AA4F2AC3,SHA256=4A25470D4DD7A50576CD662A6A7DD778C398DC9778258F7692ED7A934BC327B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:13.289{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=227C6ED7FCE1A989D9A97AEE9007DB2F,SHA256=5F17CD2189ACEF099D0F06EF60EAC2E9F6A31A1FD0C0A55E36641B2DD7EECCCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:14.426{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A12860D606A5CC0FE7634A15A23DC3DF,SHA256=D9258DC3571110084D4523D6673E3E8BBF459C9965C594A9E57DFF87447DC4AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:11.423{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58883-false10.0.1.12-8089- 354300x8000000000000000969667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:10.570{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62051-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001040005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:12.737{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52909-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001040007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:15.525{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=411FDBD2A52117EAA33606E91806741B,SHA256=E576314D3CE39D1A4D34F450277DDD2135738358049F875A04DA227CE2479507,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:15.961{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE8B60A24090CB33C18489429AABA93E,SHA256=4D3D00F8D3E3623161F598D0F36D7AEEE660B86347E3CC8E4A866B9FB8F4ADE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:11.891{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58884-false10.0.1.12-8000- 23542300x8000000000000000969669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:15.008{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB87A83B2F977DB9EAA85DBB04A0ECB4,SHA256=FBA306C33415C93D2D0487B757C652B4903BE435DD0E2CF04000381B35E09B0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:16.542{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4826BB0F79AF00FA64C9D160E660E92,SHA256=907539A906ADCDA0D9D3C445EBA15D715D3A8AA2DB22C83BAEC24BA1CD51A50B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:13.011{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62357-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:16.023{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC58279A603CCA54CAEC4F32334633E,SHA256=DA1C8A989F6B34BED384CE44F782F81D387CC45B92345E681ADBEDBE7F145B71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:16.458{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001040012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:16.458{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001040011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:16.458{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFfa8295b.TMPMD5=A17B66D50B2357EACCE2ED2DF6BB26CA,SHA256=94B227138FA3BBDC703334C2B58C4ADB8CAEEC359A8FC16A5D99B6841C804924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:16.274{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4E46B456403BAED77FC80A812779B0B,SHA256=B399FA8FDC7822A5C34B61EC13E10C9EAEBAB48158FDABE8B07CFC8F7772C378,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:13.525{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de49554-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001040008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:12.906{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\explorer.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local52910-false20.199.120.85-443https 23542300x80000000000000001040018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:17.543{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61ECE19E68FB6F7D16B451A3E5C26DAD,SHA256=5FB28B910F83D0C3ADC48CD569D16E9C47B0C5E2B76389E07DB53DDADD94C652,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:17.039{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AB33C4823E28513BCE09C43784350B3,SHA256=2377E286352EE6E6CC060AAA6D9585EC7E3829A49C13DC79BC781F7C447A7B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:17.404{5EBD8912-7F30-614D-1600-00000000FC01}1268NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\DeviceMetadataCache\OLDCACHE.000MD5=DAA178468E70B337B9F6C72FDCB8F8A4,SHA256=D7F81CD0663805C83D5400129BCEC05F7D2856FAEFA9D3E1297A85871CE1C423,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:15.613{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52911-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001040015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:15.613{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52911-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001040021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:18.589{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF1ED28215898C2FB536C4BC5F1B81D,SHA256=502FFF9F0F55E7B49DF233DF841904074FEC8E1CA20A819247FE68C85EA44A07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:18.055{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE36DE39B8FBA2E9E230035B16CC4211,SHA256=BCF35144031EB8E0D7AEB4612D4A61462EEECB40A991A75B3A7C1ABA0A576291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:18.542{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7B745EE4349E85214F6EC54FDC3D936D,SHA256=998C122CC77A24E30759CD6DADA0D8CD9B43ED91867283804EDAD96037F3F602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:18.542{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A3D84160574509D528671291E90BF812,SHA256=8B3D4D3F548EA716A621183E9B04BD9F19AE1A67FFB1D424C8AAC0A8F9811BDA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001040026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:19.742{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\AlternateServices.txt2021-09-27 08:10:19.712 23542300x80000000000000001040025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:19.742{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\AlternateServices.txtMD5=F08F834274EC7C25C140D7C52264B165,SHA256=4EDA3588F81BB8A2B72F3D12F653DE11C18DD12FF33B923DA83DC74A39376AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:19.605{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD8FBE9169056441731DB8FDC1F5C646,SHA256=DD40D50A7755411B81AD891E499AB0E38C1569854D43440753DECA5C42474483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:19.070{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C523D22CA06A3EBB11205B09B3841D,SHA256=6411A2C70F71BA56162DEF551CAD3EA0FCF296EF1F1C8B62FD81F097198A1F11,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001040023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:19.322{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\SiteSecurityServiceState.txt2021-09-27 08:10:19.295 23542300x80000000000000001040022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:19.322{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\SiteSecurityServiceState.txtMD5=763B91B02A0A5CA48ADC9388426B62EC,SHA256=F4E612DC0E434E05AAB4B8FD627A42C54755F0314C315DBE2E762A3C8E20DE35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:20.623{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5417E04DACDB193DE52058614FB5137E,SHA256=FEA7E5EDDA726C95048343025A497B7095EE84F47AFC65F55046B4597DFCD502,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:17.829{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58885-false10.0.1.12-8000- 23542300x8000000000000000969677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:20.086{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CBE72732F33744CA17830B24647B19E,SHA256=587845C14183EFEDEAAB48EFB1B649D69C44F72A5361EF66DADFCCB5B33994E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:17.881{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52912-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001040029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:21.644{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB4E58FDDDA1D48804862CEFE8F3F13,SHA256=5338E161B4D47A52752265BE3CBB9397B95C4DD344B97B84AC537A4CE47ED79C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:21.086{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5001E54DFA80039C4C31FBB595FEC718,SHA256=E0DEDD1773FBDCD12116C25771034C86CC2F344E08D58B5D65F9B2E5AECB3021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:22.658{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25677989B1C97E5541D21F230A364EDD,SHA256=636147CC619223391DA3FDBC45E073CA766F2F183631011BFEF5DA7827943F22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:22.087{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAEF97E2D24DF0CB9D699C5D5F94011A,SHA256=82E2384980A1DA7A7FA18A9CFADC061CEDC3A58BE3182B4BB97D4719E4C00CE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:23.673{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50188AFE7B11651E34B504D4CEFB1ACC,SHA256=5B597E39BD0FB0DA3DD855B5D253BD9E92B1CE887B3BD3C14D3157E74AFEE3A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:23.102{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5885AF8AF89424D07D42D89588BFA455,SHA256=0247D6DBD9B246FEC1A55B03C5ADBE2CA394A531FB7245072A2E4C014E0439AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:24.704{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27A8349A16996EBBFEE560F447D15497,SHA256=DF7F86A709F3C9991792DE0B1BC821A0445523B13544AF43588C679B89233905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:24.118{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8CC3382B4ADBF690864EB4F11D9E1CC,SHA256=746C33FAF6F1D4BB0F7867844B83394CD45B24119BD77036CCA894AE6D094F03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:25.788{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E1986408FB8DB5B088AA5971B615614,SHA256=0E1B8A55D828FDDBF801EDBD5F9EB036B9AC9D3C7C28857EA804FBDB2BE033F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:25.134{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AA94DCBF88A60758561204531B134A9,SHA256=2B39E47AF0D9D6FD1006DC7621734148ABF643AA574AB7E9BAC1AF5ADEFBEDE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:23.780{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52913-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001040037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:26.855{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF869B904A24CAE25616C36929C1991D,SHA256=A56E2D784F75A0788CD993DB8C972B5B3BD6B5BACBDB1624AAE7A304E9CB18E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:26.855{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E94634A303DDB728FFB7C1D33FA0D00F,SHA256=E96689E675A24EF6F64C8F3CE6A81C17F1AC2FBCB6FFFD88C6FA8C80D7D3F93C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:26.802{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=148C8FD13A608B5D9DC1E09B4C9C2D4E,SHA256=EF24BF0F653C58E6D26FB6849A743CC9F1EAD263BE02633AB3A8BE5F388D0C47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:26.884{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8122-6151-9E78-00000000FD01}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:26.884{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:26.884{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:26.884{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:26.884{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:26.884{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:26.884{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:26.884{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:26.884{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:26.884{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:26.884{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8122-6151-9E78-00000000FD01}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:26.884{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8122-6151-9E78-00000000FD01}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:26.869{69CF5F33-8122-6151-9E78-00000000FD01}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000969699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:23.798{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58886-false10.0.1.12-8000- 10341000x8000000000000000969698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:26.446{69CF5F33-8122-6151-9D78-00000000FD01}33561872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:26.196{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8122-6151-9D78-00000000FD01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:26.196{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:26.196{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:26.196{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:26.196{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:26.196{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:26.196{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:26.196{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:26.196{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:26.196{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8122-6151-9D78-00000000FD01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:26.196{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:26.196{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8122-6151-9D78-00000000FD01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:26.181{69CF5F33-8122-6151-9D78-00000000FD01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000969684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:26.149{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43483944DC8BD09D0D82EBA924E170B6,SHA256=9F0E39A0A666516F60055BF0EFACCB295AFE4177B6FD7A8D58AF546754193F94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:27.838{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C614299B59AF967C16C78401BF449190,SHA256=8596B6A56D33EBAF18084AB5CF9203FBF3F4617FB0AE6FDD9B9C2107018913E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:27.431{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8123-6151-9F78-00000000FD01}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:27.431{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8123-6151-9F78-00000000FD01}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:27.431{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:27.431{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:27.431{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:27.431{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:27.415{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8123-6151-9F78-00000000FD01}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:27.431{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:27.431{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:27.431{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:27.431{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:27.431{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:27.416{69CF5F33-8123-6151-9F78-00000000FD01}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000969716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:27.399{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDBE4E8D0168AC46157296093B57DE57,SHA256=19090B965BDFC6B8ABD6EFA1E4A61E09BAD95659DC8948D5B653C312AEA2B6B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:27.399{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FA1C633C30A6116AE8C8073D95C0F9A,SHA256=CAD12F76D8BF8BD6BABC1126D6558E8A60EB241376F4160125F0820C8CF11AF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:27.368{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A3B978FAC039A7D747522668F8C6E75,SHA256=F97F01FB8105AD700B213371587628FED51B64A9C55F17F3C93F46B9C027CBF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:27.149{69CF5F33-8122-6151-9E78-00000000FD01}24081572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001040039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:25.453{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57905-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001040038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:25.096{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52767-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:28.901{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E99A54F6052A1BFAAA9252A02DD821,SHA256=CE829E8FB79B6C89E3E3D6B4965D6A65C094F26C2F7986CF03342EFAFDE83D74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:28.712{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8124-6151-A178-00000000FD01}576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:28.712{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:28.712{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:28.712{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:28.712{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:28.712{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:28.712{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:28.712{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:28.712{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:28.712{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:28.712{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8124-6151-A178-00000000FD01}576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:28.712{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8124-6151-A178-00000000FD01}576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:28.697{69CF5F33-8124-6151-A178-00000000FD01}576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000969745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:28.665{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDBE4E8D0168AC46157296093B57DE57,SHA256=19090B965BDFC6B8ABD6EFA1E4A61E09BAD95659DC8948D5B653C312AEA2B6B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:28.555{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54189D287B80CD2B15CFF0CBC4BEBFE3,SHA256=8523FE791A6C5E787484F1AE0588D42E202B5306DCDB8BF21A4998B0694AB110,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:28.274{69CF5F33-8124-6151-A078-00000000FD01}18921908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:28.118{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8124-6151-A078-00000000FD01}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:28.118{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:28.118{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:28.118{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:28.118{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:28.118{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:28.118{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:28.118{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:28.118{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:28.102{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8124-6151-A078-00000000FD01}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:28.102{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:28.102{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8124-6151-A078-00000000FD01}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:28.103{69CF5F33-8124-6151-A078-00000000FD01}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001040044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:29.901{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9E983130BDA57FAB55C70D49EF7F61D,SHA256=95136820C4FD5C5B50B2FCAE0CA1AFDD4AFC4AB4F5C1C5762186CB7B36AE3C3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:29.805{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D470FF076EF2EAE170BA0D0B6DF1EAE,SHA256=716E34AD634B28049E8DF2BBDAC7579260C3B8613A03E720DF8BCAD9087CF521,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:29.540{69CF5F33-8125-6151-A278-00000000FD01}28443448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:29.352{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8125-6151-A278-00000000FD01}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:29.337{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:29.337{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:29.337{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:29.337{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:29.337{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:29.337{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:29.337{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:29.337{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:29.337{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:29.337{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8125-6151-A278-00000000FD01}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:29.337{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8125-6151-A278-00000000FD01}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:29.323{69CF5F33-8125-6151-A278-00000000FD01}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000969759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:29.290{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDE34C324A52A6EB71F3E1DCFF396674,SHA256=C9275DCF25DD2B2A44AC63728D23B7F4440DF5147181B9164CC705033C056C92,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:27.626{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de61406-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:29.458{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4267MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:30.901{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01314C02353761A269028A1F46C2F14E,SHA256=395422B93E2E54F55B3CB910A07B473D4E104E7744099CC36E620B48AC4CD4F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:30.384{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=734F03F84D8A564F2F6464650BDAAF7F,SHA256=939842ACC9DD7FA85BD05DE9B79A411C4FD251BBA146B16CB90C11BAA4A2A68A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:30.471{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4268MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:30.138{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF869B904A24CAE25616C36929C1991D,SHA256=A56E2D784F75A0788CD993DB8C972B5B3BD6B5BACBDB1624AAE7A304E9CB18E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:31.618{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=700B2943CD84E111F8BB97FF5DB11C1F,SHA256=AC80084C38A168107938497F447AD2D627792021959CB6A814249EF4869F905E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:31.903{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3EDF9CC15AC4798D77F2FB2E7C7655D,SHA256=4B7297CEA4E8CFF8C66322EA63DD8A167525A2BA14CD85F7DC4519ACD5D4CC19,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:28.908{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52914-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001040050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:31.119{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:31.118{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:31.118{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000969778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:32.852{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=637637E2137E433F937330460A10CDBF,SHA256=96145330FFCB5C9765466DF392EC280E2C936D9BD2EF3E81320750D68DF5B94C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:32.940{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A9310A1FE1541313682E41DBD227A3E,SHA256=956B19000DD99C895755034D26A690CD8C2A9E179F96622A8A54DB557CCB1F41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:32.227{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C192BF6BCBA6A7C0CCBB5CC0070359A1,SHA256=1EB1F949386868E2B28C9E1DD81136D8CDF30A3062F3AC18863107FBB484F674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:32.487{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=E546C382C4ACD355C5E1306962EBCB40,SHA256=B7B32CA174B11DA7FDD187266A5ED8978D25FF6FD43E8191436AF62163B4249A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:32.487{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:33.954{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABA5C737CA3FDD8721A5071838247B28,SHA256=177D3AEBF724FD617017AF13122FF110A4E151D801AAA0CD47DAA15A3B9B139A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:29.767{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58887-false10.0.1.12-8000- 23542300x80000000000000001040057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:34.969{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DED21D309A89D25044734580D907CB96,SHA256=24222C149FC14892D1A872A91508F288B2F1B6ED1A969CA6D9A163D3652E6B03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:34.493{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A8A3DCE70F5541846064A385FB8C5AF,SHA256=B083839FCE7DDDC254943F4C0494B87300AE909C7A0C5E0AD9B9F292D9230544,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:34.087{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F36CB797F92644B4E214A8E1DFBAF7E2,SHA256=2F31BE27D0BAC73BE73B82CD87E5B730EE3E6DD5DFEF78D6EC24F3D79496AEB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:33.188{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-58888-false10.0.1.14win-dc-429.attackrange.local49672- 23542300x80000000000000001040058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:35.638{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:31.788{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63187-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:35.243{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FCC8A9D5A2FF46B58B9440AD59E1163,SHA256=28BC3B9EF736FB414A3D79F4EC872097DA34E0CFAAA9B9108E35573500E024D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:35.308{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52916-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001040061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:34.807{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52915-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001040060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:36.038{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7395248EA9EABE22B5AD46FE45C7766B,SHA256=EF01FBD80B54D986D210464AD79DF82A6D7BF7A20C19ED1B7D3D660C79D0CB48,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:32.134{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58888-false10.0.1.14-49672- 23542300x8000000000000000969784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:36.259{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25BC5CE466BBC7E0D26B8A5625A909B5,SHA256=799A4DB958A53CB524187C60B3D218BE88BB53D3807992EDB95C828D314868C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:35.904{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59411-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:37.068{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EA013CF1319492A4897A5369E201926,SHA256=21784B5017832DFA5860D0035F7A1AC3F3D901036DEEB7C7160B2FD7FA428CC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:33.430{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58378-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:37.274{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=986A795CEF3820A1D703CA6EAE4EC21C,SHA256=4D521603C5B76868CA2AFBB719E9314F1C1FC7392F42A1A8565633402E1A4DFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:37.071{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92161103F8B5D9635E7B936213F59761,SHA256=860D1B7F3CD521120D96BE5F7814C56D73217E7FCF3C5820BD237D446B9CD4CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:38.446{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-812E-6151-A378-00000000FD01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:38.430{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:38.430{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:38.430{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:38.430{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:38.430{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:38.430{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:38.430{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:38.430{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:38.430{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:38.430{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-812E-6151-A378-00000000FD01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:38.430{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-812E-6151-A378-00000000FD01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:38.416{69CF5F33-812E-6151-A378-00000000FD01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000969790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:35.751{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58889-false10.0.1.12-8000- 23542300x8000000000000000969789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:38.290{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B7BCF5D425BC8AEF21B763C30104E94,SHA256=96EC157CEC613D547A81DAB6E96DB72F1BCF1AF3AD429AF15469AA2B76175A3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:37.137{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60161-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:38.913{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7201F23EC780F0F057083F897C34AB93,SHA256=22D60CA14774D6E9116CFD2E8B5C11F6C8D17BCA0B50E6931F5A1A516EDFBA16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:38.797{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44158616E69875ED20B7154F77D0B2DC,SHA256=C09618F2F7BC90967FF4FF990305FF07D4E29EFE9EE31EE759381207F02FE02B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:38.797{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=900DB7CD4CC37AC350D65F9F4D0D45EC,SHA256=EF261B6F98E3515718CD30D3DB40E0C5C242EC6FAC9FE0F4771CE6BCBC203ED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:38.135{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D1997157D90007CFBCBA32A6C0A875A,SHA256=FB2650F7C89B6415537F727D2F40287D80AC32EC52BF33C7E31E535E14C995D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:39.555{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51A60F6425EFD037E59E8CE471B6998D,SHA256=6513D1873A7DD27FB5A910642F23FE52FE2032CAFE594952E8C52B83CAA224EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:39.306{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E9C202A43D4C607FC06FCC21EC26EA,SHA256=AF82649B715A96F1B3DA632D544F7AFDDC522881A37E48B89C4C6A98309D15DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:39.234{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC382495BADD13F3F1703EE6FC061D2,SHA256=A1A608D324F8DDBDC40ECC5EE6CC56110B763B0DCD07FEE237AC81DD7C157567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:40.321{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=446226609096E4C0BA6DE0B7086B79CF,SHA256=725A3225E9081445DF6406B2E40648931F0FEA70D45FD0B48DC0E4F20286FD6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:40.248{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FF942572D4AD6855352351CCEC2063,SHA256=75E637E83FDA3FFDE81AEF6750B187FE101D75A9489C96D7EFBF51E536C1BC5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:41.507{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B78267ECD380C4642F430712C6856DD4,SHA256=D6B3823804803D866920172CFC0B33195712480BCEF5BF1665B9B48AD9EC2611,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:41.263{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=676169AA47639B4AB1C8250F1C01C2E6,SHA256=F38D431D4D2AA917A6CC6EC22B6CDAECDBF295F75D184C0D20C5318AB481671B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:42.742{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B92EB1AAE027AA36E391B4AD72BA2B3,SHA256=F29ACECE99865C249339FD0BAE75FE252F92914594595E807247C43707F47CB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:42.993{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44158616E69875ED20B7154F77D0B2DC,SHA256=C09618F2F7BC90967FF4FF990305FF07D4E29EFE9EE31EE759381207F02FE02B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:42.278{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=063527EB2E06F42883B5133FF4B2FC42,SHA256=2A460690F136A7812678807AC942801B287437271E82031BCAA0F1A906D23F68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:43.961{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2378E0683F79B3E96BDCE5BEA19F8B71,SHA256=DEDFA9F561E2A015C572C567DFC49CB22564B8318438CC482EE1D5224C5C6C5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:43.330{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12C499C380318C8471DCC60C9CC36B50,SHA256=AC69EB4AF4EE472A6DC104DA1DC5FF2A5AB1E7E0822A77F8AFE7F62A1B8DF4F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:41.349{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54721-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001040075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:40.755{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52917-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001040079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:44.332{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=755716FD59E73F13AAEB2414DD2A8DE5,SHA256=7AB632191CD9E7E8D75353EBC2E0D0E510C5E3F87450B4DEF1D6C23A78CC6921,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:41.719{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58890-false10.0.1.12-8000- 23542300x80000000000000001040078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:44.132{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80B44EF047BD55409D077A1BF0D31780,SHA256=83B167683FA01FD972E1D7FDFED3CF3C3AEB24EFCC907C9BE3BB1180D32D8117,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:45.828{5EBD8912-8135-6151-FC78-00000000FC01}59045300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:45.628{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8135-6151-FC78-00000000FC01}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:45.628{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:45.628{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:45.628{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:45.628{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:45.628{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8135-6151-FC78-00000000FC01}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:45.628{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8135-6151-FC78-00000000FC01}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:45.614{5EBD8912-8135-6151-FC78-00000000FC01}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001040090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:45.362{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3989288327B4AF9F8C7AA809DCE5EE4,SHA256=A59926C3E9129E82287B17B0F72BA77D8A82DCF61580046F6BCA144914CC8F42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:45.070{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B2C29DA81C9A682C33C9F027FF189DE,SHA256=580E8725F8EB3D141CC554CB9EAAC73BDAB7D19E2E89F00D1F72A6170580469A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:45.193{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D18A67A8AF84D0D3F2289AC90F21B92,SHA256=F5BD35927BAAC1A6C0A6E595294BEFBF787278A9F043082EAFF32A1448E80839,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:42.723{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de56921-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001040087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:45.131{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8135-6151-FB78-00000000FC01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:45.115{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:45.115{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:45.115{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:45.115{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8135-6151-FB78-00000000FC01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:45.115{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:45.115{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8135-6151-FB78-00000000FC01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:45.094{5EBD8912-8135-6151-FB78-00000000FC01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001040111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:46.613{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A72033103C5F5D8D6DE387684FD6377,SHA256=E7057CFF9CB73F4DBC87389E2685C3635CEA8E27F80314DABE0A3BA8BFA222B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:46.381{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7FE94DCEFF6FA444603FDD476FA8227,SHA256=4D3B075FB1066958FF330A0E061653E573F96F5C050780154914DC16C50D4EF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:46.195{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4970A681042A18F3E932F18F506825A5,SHA256=9DB8B14B875E1ADFFFC9C955B2EDE709D7152DA021A74B7C25D04BBA4689E203,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:46.312{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8136-6151-FD78-00000000FC01}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:46.312{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:46.312{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:46.312{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:46.312{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:46.312{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8136-6151-FD78-00000000FC01}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:46.312{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8136-6151-FD78-00000000FC01}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:46.297{5EBD8912-8136-6151-FD78-00000000FC01}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001040101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:43.815{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64100-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001040100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:43.575{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-56572-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:47.461{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A340EE392687099F1DE91CD6C34EC6A9,SHA256=318BF8132B7650EC18C4D6472791D5C77D7FE09C6E528E4941AD2979B07791A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:47.570{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63819ADE84AF93084D1704E76331EB44,SHA256=F4C203617E2CCF98AEF5B342755B10F3F84A41F266DE708DAC94511613278B66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:47.570{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65DBE5453CDA7387C2B2D85AC5D39097,SHA256=1F94C0A2B7CCCE7E75F108220EE1D57AEFFBE36F96573009B1C43A7A7F67A237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:47.242{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEF235AB8BAB7B0B6BDFBA47895B2DE7,SHA256=74896A4BE90E37919B445BDD5EE2147E8AE109A87B98B97C5BCF5F98DD86CFF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:48.479{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81760692072719DB4C8E4C8CD59E335B,SHA256=AFFA9C4BC0B42414EAF23FBC67F63134173CD590AB559FCB7E28DF107FFA622F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:44.716{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49183-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000969817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:44.541{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-59131-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:48.382{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=321415ADF1DFBC9EB4F26D41F345FC30,SHA256=210FB33E379BB8B4E8116744531A07092C0AD3CD5AF4D5C28AC3FDFE41F26050,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:45.888{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52918-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001040115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:49.510{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2780B3FB43F468D186F341C85C43C0A,SHA256=1CAC25EBEF3D236677429F97BA599F8D5DA8B87ED68902CEFB028BFCC932709D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:49.945{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63819ADE84AF93084D1704E76331EB44,SHA256=F4C203617E2CCF98AEF5B342755B10F3F84A41F266DE708DAC94511613278B66,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:46.813{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58891-false10.0.1.12-8000- 354300x8000000000000000969820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:46.661{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50205-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:49.398{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F203C90F2A5B7FC5F4B273E899B361E9,SHA256=0F9A3D93FE435F2A34E9A928E429A41B4C1B7F7312EBA8648B47775C0337F296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:50.525{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE844A15EF6D124FED61BD64429AF3B7,SHA256=89E67D9F199E0F2B05F6AE6619B19425F607EC04E396E259421822EAA0706343,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:47.624{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60511-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:50.398{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=394A1F716696263075E4E78FD0A81416,SHA256=11DC2000300FC513C7284D618038DE143FB16B17853675C4D7A9530F8EF3ACE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:51.540{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF3611EC790CC2E300989B37EC9ABE29,SHA256=8C5A0912FD2730F924ED37B8800EF087A8C61323D36A21D69665246B048D457F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:51.414{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D1C74812297A555FD81A8DD0F42ED70,SHA256=18D01E8E143A6BD12DDF778D55481FFA69529F79FBE95749986BF6D092DE8B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:51.378{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87EEF2B5ED78D4C0E8031AFFEA2FF670,SHA256=11D98AEB7118624E1363BAA5B6C9233AC378F175A0AA2AF26973DDC7F0E78A25,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:48.947{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50953-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000969828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:49.921{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62215-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:52.617{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BFCD65C0707377BF4943119F8DEBC7B,SHA256=B2D5387DEB54910C74029EDE28EC9C254414A9FCDF2CD20FBE6F39848990A634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:52.414{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=938E03967F04913C338C95DD68305D75,SHA256=9135D9BBAFAE91579D90118AA4D69E9350454E67BCAB65EEAF05DACF4978E322,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:52.541{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=984AFBB981FAEA0318E8CE0AEFA0CA8E,SHA256=D86843B023662B18F4B06FBD50924F6426AE0AF1340E979057808D95D0F8896D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:53.609{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B430AFC00A2EAE6ED344456E6720D01E,SHA256=251892318AE47B5107946AE4DE81EF0387F9382665737E6E1DE5E0E1062ECBEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:53.429{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F428D916F9373127B1222C97273EF597,SHA256=1AD0B16C769BD9DB6583FB05DD5F41785C39755F0E3C0CD56A02AA178F45F00A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:51.073{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52448-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:53.093{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C76FB425F73A5D802BEF009263B7AB03,SHA256=99805463D9A90ECBE3E4648FE13F0391FE18833CFEE4B55E5A1218B654AE6E95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:54.792{5EBD8912-813E-6151-FE78-00000000FC01}6016944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001040133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:54.677{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC7E08D8E3F9C8C3FB05072BE74E3620,SHA256=C8F0A4A5D18ED9CDE20B23E903D00716AE23B22D6376AB214BEEDD6D918CC33E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:51.509{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53206-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:54.445{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D34E69FB8A789E0D6B0AED66CF230BC7,SHA256=F9550701D3D3FBFBC77A7004FBD9BD7C473B09484F36FB8787A5AC63EE041782,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:54.608{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-813E-6151-FE78-00000000FC01}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:54.608{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:54.608{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:54.608{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:54.608{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:54.608{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-813E-6151-FE78-00000000FC01}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:54.608{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-813E-6151-FE78-00000000FC01}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:54.593{5EBD8912-813E-6151-FE78-00000000FC01}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001040124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:51.785{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52919-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000969830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:54.367{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA6389DD53BFE2F1FA043B6F09107690,SHA256=24F729C018EDD5299EB5FDFEDA2EC87689D61B68BACA34931298EA592EE7C903,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:55.960{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-813F-6151-0079-00000000FC01}1396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:55.960{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:55.960{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:55.960{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:55.960{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:55.960{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-813F-6151-0079-00000000FC01}1396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:55.960{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-813F-6151-0079-00000000FC01}1396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:55.955{5EBD8912-813F-6151-0079-00000000FC01}1396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001040145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:55.692{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4AA4D3642CAE70511F0F906B6D65B15,SHA256=74A2D7C4F3A97A9DBD548E788DD82A0F5F82C61EA57D8F6C9DA39DE7ECC6C514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:55.461{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C8058C0E134BDF32224CE829E24E432,SHA256=16B810737684C621D8955D1A52BBC7D0DC20E88A1394EACA6B51B3B3D895E5E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:55.608{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86AD3BAD45F7CFCF93B8C13BD50F0D50,SHA256=7686187FE9CD6268CD4BD919A34D7BF0278B9258AE8D5B597ABEA4B2FA4534B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:55.523{5EBD8912-813F-6151-FF78-00000000FC01}54566440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:55.307{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-813F-6151-FF78-00000000FC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:55.292{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:55.292{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:55.292{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:55.292{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-813F-6151-FF78-00000000FC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:55.292{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:55.292{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-813F-6151-FF78-00000000FC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:55.277{5EBD8912-813F-6151-FF78-00000000FC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001040164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:56.976{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E564699F8C7741E1E5784240B63EDA73,SHA256=1D63236F75C300C7719238ADFD86339817347A0F3DF6485D6DDC0C3A21AEF47E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:56.807{5EBD8912-8140-6151-0179-00000000FC01}67402708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001040162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:56.760{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D81AD9A024675BBB55C540C93F449175,SHA256=5C96F0003216F20502DCE3E70DC87D20A0F248BD74E297F1D714EAB095EF628C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:56.476{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B160736DC5B5FF45DCC94F9FAFABC5AB,SHA256=08407CB8DAA049D4F8FCE49E9A53E5675242041E927C10880DF7D7B3760A374F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:56.659{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8140-6151-0179-00000000FC01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:56.657{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:56.657{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:56.657{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:56.656{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:56.656{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8140-6151-0179-00000000FC01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:56.656{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8140-6151-0179-00000000FC01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:56.639{5EBD8912-8140-6151-0179-00000000FC01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000969834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:52.797{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58892-false10.0.1.12-8000- 23542300x80000000000000001040165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:57.775{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=807BE6D0FB4AC94561421B7A788F3575,SHA256=CA0A41055CDF2B8FD7820F71676F26A3E351DA5DA74B4030FAA54AAD45BD3C2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:57.476{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8602396FD672C97221A1790B881B9DD,SHA256=B01759B3774F1AF74132AAEA0D58E2779F8D673DC6C8EDCB61E78686817A6B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:58.492{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5AFAC18358BF0C03C8F430BF11A5541,SHA256=185ECEAF449B46686472D0D6DF9EBD630D36F9CEA386BEF2302D601022353FA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:58.836{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7E62331B90BC6E56D35C46F11EE0D16,SHA256=5B90B8C80E03E566172ED7CF28ECBB2091BEF8BE7E45A54DEACE39C0F6D11027,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001040168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:30:58.653{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x80000000000000001040167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:30:58.637{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Config SourceDWORD (0x00000001) 13241300x80000000000000001040166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:30:58.637{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_C073BBA9-345E-4F58-AADF-98D983B75502.XML 23542300x8000000000000000969838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:59.726{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3557EBB99C1C870CA7310DE53A4F2E1,SHA256=1ABC95C2F5DC6DB3B6C26D37340319A7BA800B832B5FE33C39C074DC3459D69B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:59.905{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E346AA1DE7F40C8F056BB565F46F9EC,SHA256=B7EEB6189B7513FF8C5BCAB4A9D280116F2A63D8C9A4C653AAF2230FD7F71F9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:59.674{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=131B3AC4833A9E7E4916CDEB11490C4A,SHA256=9FEEFF17E0042C360A0247CC62215B3301BE827FE8713D8912C9B32559FA0426,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:56.945{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52920-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000969839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:00.929{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43CA53FEAE58A6F61D68BD63A429E831,SHA256=A82490D71B8FDCB2FA8D092F6BB842727B754286BC607100C71DC34574691BC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:00.972{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A5DF1BC3174904143A8B3526233F244,SHA256=41A398349B926AA2AB951FC12BB2B34EA3CC050A2E66CC9D00E7E7D87E63B93E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:58.358{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52923-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001040177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:58.358{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52923-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001040176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:58.345{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52922-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001040175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:58.345{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52922-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001040174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:58.330{5EBD8912-7F30-614D-0D00-00000000FC01}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52921-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001040173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:30:58.330{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52921-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 23542300x80000000000000001040180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:01.987{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B00D87008EB030EE816EB59FDB5FF4C,SHA256=C85CC1CCC127832A5371EC0BAEAFC7192DF5E0D2DDEAB40841F3071D7FBE2E76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:01.789{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B3CFDE64A45D7186857A330FB44FCBE,SHA256=314205D862CA575FB7E1EF75CF337934185FC279576E582D8F98F285245A7FEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:01.789{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCD0DF28983E5AC8B7612050A95B080B,SHA256=6592EF0D259A6B4AE0E1D1DF71A0E7747713A74347A519922BDA78DCE4A5CB21,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:57.906{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58893-false10.0.1.12-8000- 23542300x8000000000000000969847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:02.915{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B3CFDE64A45D7186857A330FB44FCBE,SHA256=314205D862CA575FB7E1EF75CF337934185FC279576E582D8F98F285245A7FEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:02.526{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4268MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:59.051{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57981-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000969844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:30:58.938{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57897-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:02.165{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE9BF74B2FCDD8E59C7CE1C0BFAAED4,SHA256=94E94A4D6245DA37A0EE4FB1AB8BB8226FCB73160588A3065E59CE247B70CB93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:03.541{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4269MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:03.399{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3798C17E91104846406EE54AC31B8758,SHA256=9AAE5E0C20D6294F92631BA3AED25E4314A5283F6478E22FCF7A3FF35F988F4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:03.004{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7220440ED9CAB1F51789EAA2E05AD0C,SHA256=4886A6154B1CDDED876C12AB7F51883D24D25A8C601D172E9A4625BCBC2F246F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:04.541{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E207BF7B6451738E9FDB511C59D6FD1,SHA256=F9618D85B95F97B13CD585918838875F91942E389701BB99886AA874C80BEF9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:04.074{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85ACB396CD1D0476F72B46795D115326,SHA256=F7ADAB8D0BF88A4F41FBF80E27A459258F1A573ED1F96E9F5E2126301B523C7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:05.556{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F124274C4769FF6D4D170F1A6A505B6,SHA256=9C2F14CFB48C0D8CE302A4C111CAFFB26883CB01AA6B5B71DD27934BCE895F0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:02.927{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52924-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001040183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:05.092{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEF6FA4B47EC8AFB59728E36F7CCF1A9,SHA256=1D4E25137B1A0DB3C158E931C5CB9AA9E32764E892F69B3FC74248A61402A4A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:06.556{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B213E543CDE9EF94D2590A21787DD8E,SHA256=CBA5F3CB33EBA3974DB5F1D3CD59F0613053E2E70722E59A1CE6463747A70251,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:05.032{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58225-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:06.674{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B88383F9C596AD281E4C6176EF589AD1,SHA256=0BCD724D4388A302ABC0F22A32564F81648D352603C693FC90950FCE2DF0D5E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:06.674{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46CB635B5BF05B2837955C4166FD0879,SHA256=7327A95D4E815DDE7652052C814B57649FEF6180B3C72E45D38AA6BB4A354132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:06.105{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C95897230FFAC0AC427BA318DCEED73,SHA256=04C1BD2C9BD6C45DBEBF9B1A37800A9CBBAF039537D7F8DB2A49EA65A4E0AFA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:07.619{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F09D074CEBDD365FF256B5940AE70AEF,SHA256=C292DACBB96606531F6DBCB33C32A98EA96F545FAD3F6835E68F36CB3B14DE4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:03.861{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58894-false10.0.1.12-8000- 23542300x80000000000000001040189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:07.120{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51D85F7C1DA1FCCEF06DB86BC61EB9AE,SHA256=2CF2C59B49CF0D5CDF3E4BE89DF109F1515489F013C7D28C25F3FE0A3929B785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:08.759{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=306F555B62F0AF8C6B758C8DE147C0E7,SHA256=DB433180E8B1FE3AD189B7A041F453C8664C66F671AA29035809C4D33246F191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:08.154{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A74EA132522AE0CE5CCAEE2AAD34A35,SHA256=50E35946473446D1C12537D51A125CAFA9F735ECD6B4D59AFBBEE654F113452D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:05.705{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de62939-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:08.213{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6E6C84D3E4DF9A28AE9FDA06BB57645,SHA256=14F65EEA2F23849AAF40A57AB54AFA475AA3A678E61EC825E563AF760BBF57B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:08.213{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E1769F4A6A294BCD429E01B97887926,SHA256=FE27F8CFFC7C1B7D12837C12E4E62626209B9AA55D637AF28934ACA591A44C50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:09.994{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3E88ED521EE9F164CF79C78FC9E6497,SHA256=39FD3F81392C7B6471F8E25B0DA35E8AC71B6428DF85AD26C3D4D08A360FD6C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:09.289{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C49D96455525293DC90B643D6405B418,SHA256=9402DF244BFB86CB5975F15FD0AE0431E29AB881839EB94197317C81355A1073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:09.963{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6E6C84D3E4DF9A28AE9FDA06BB57645,SHA256=14F65EEA2F23849AAF40A57AB54AFA475AA3A678E61EC825E563AF760BBF57B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:10.654{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B88383F9C596AD281E4C6176EF589AD1,SHA256=0BCD724D4388A302ABC0F22A32564F81648D352603C693FC90950FCE2DF0D5E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:10.320{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC2F770B184EB8EF58C718258A467E21,SHA256=BF356A3A02E7AE315D405FDF1D96AAB249B6C7BC44F936A50D1BAF9BDBF8D7CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:07.244{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com10903-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:11.228{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D3AC50B83415949C53867DB0E588C9,SHA256=9FBF37C08AC030BD742E1E221D81612984C9160FE76CCBDF3C1767DC183CE15B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:11.357{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD7007B0402F0794E25C16707F8031CB,SHA256=2F3AF58BBBE897E997AEF02FA508CA9C5B6E64D6B1E5FB4ED3F430343304BFD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:09.024{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com12460-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001040194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:08.865{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52925-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000969865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:12.806{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:09.830{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58895-false10.0.1.12-8000- 23542300x8000000000000000969863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:12.384{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D2EE779E3931DF38299507AAF5C2974,SHA256=299157B63572B42429CF0E708707BEDECE8E537184E58559D2FD03962CCF902D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:12.387{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C328E1837B843D3428CC5E06CCFDF7,SHA256=7075ECE8DBDE840B13865E4F35D27813BBB454783574B260D17007E81EA5DAA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:13.619{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5427F6FA49083CF86A78EB8B4BA0180F,SHA256=7DF3490BC01BBD30949A32F9ADA4FD6653B3F86160912D3D09B50C9ADD720DE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:13.418{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3F0C5F7E1437683410FB84D9DF24DFE,SHA256=CF655E35743FF2570AE7AD2E32F2415BB1498C25A2882435BE51B9E324A41E23,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:11.378{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64990-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:13.018{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9416503E4CFC40903ECA8BFC8038DF76,SHA256=4DBE4056B2359FF1676B05C0D8C45C75365870C7858694BDE24CB836C961E0F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:14.681{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED9E21C24A87CA26AD40061E47A4370C,SHA256=DD77A6DEA316B5A68B2DAADB25F3248894AAEAB0FC16494EC589172196766FAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:14.419{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E12B09FA4CB51E3C24B0F442AE55C653,SHA256=83315459BD3D7DE515B048BE122914FC5C78C04B418E29D026DA0C135723C4A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:14.322{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F4419EFF8AC7A3CFDC458BDDB906AD5,SHA256=D800F34E585011B065ECFE279ECCD7520DA4D9E818B3DF2278FAECF094AEF2A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:15.697{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B77F1339E5B0ED70C7C08AFEBDF9D0F6,SHA256=B5A2183B85AB88188EA123A1402BDAB72F9E1BD0D6293480010BE6913A42424C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:15.420{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B7EF1F897525E2AF00DB0C4D6DD7E49,SHA256=E93FA3B0B5EAD6BFCCDFF0A2DA39CB8E12A5685F4292843E4BFD0012EFB59719,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:11.642{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63622-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000969869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:11.440{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58896-false10.0.1.12-8089- 23542300x8000000000000000969872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:16.713{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1216450A1CF1D8293B384A7532F3499,SHA256=676418461D41E51E3172D806FDD87D702E3319AB0367DD16C08CE5CA2BCC53E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:16.954{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE3EB659384AA9BDCBA2981B681A41B5,SHA256=48AC19DC80189575D0DEAA34CADAD5D71881664280CD0F755262D5B435D7163A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:14.826{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52926-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001040204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:16.436{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71E774B7616F8C849241F00BF15BB05E,SHA256=23A25D3E1CA4E4A6747CEF67801754B3F9BDB11ADCBBCD46242763E3F73391A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:16.420{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\aborted-session-pingMD5=6A5988EBFD1BABD9A5568631A1156E90,SHA256=33A55EF38B3E1EE110951941A92DD0EA22C7FEA692F11234DFA917406C75E1A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:17.728{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F38E81D4FAB5CBF9FBBFB9CF11C0608,SHA256=5415675E5D253AB9564C98F2CC8EB4FC76DDD42C75831B80DF66824A23CE5C77,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:15.628{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52927-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001040208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:15.628{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52927-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001040207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:17.453{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89221059837BF1EB7F50CB1AE665E8A0,SHA256=F1E18A590AF5EF7B1E837D91C7B5806236FC80DE46B466D61F96D7D71EB655C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:18.744{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD987DDC1F711F681BA0427203EF4EE7,SHA256=57AD4C97280E4117F5F950FA796A14E2F12F2F2A5F235B4423553A95EEA47177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:18.487{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB619AE193A22DE2B033BDC96469BBD2,SHA256=13A0FA466A9087E1FC45C7F386465DF666BD110D316D377E3D015DE500DA838F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:15.721{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58897-false10.0.1.12-8000- 23542300x8000000000000000969876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:19.744{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874C833A3E6915EC6B46FA116B27CAF8,SHA256=CF2838A377B4FE81F72A0C27C1DC0573EE01A76FE6E38B08CC8DEEC7A9C67275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:19.502{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7DD8463460ED43AE68FEAFA59D70028,SHA256=EE30BC6A27F5664763A059D6B30947C62119216A6AAF429A041199CBC1A9AA15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:20.744{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027DA1D90D32749212AAA214D359FF57,SHA256=DC873D567040AC41F44D2F0DF7D413DC01121A62E1F96C18DDFFC5F26E024787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:20.517{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AEC0DEF6CC0AA9D57B42A261FAAECCC,SHA256=245E99071CA365ECE8E218BF6A69F71F0C6E738D8B757D4B3237F8A67894D9C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:21.745{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=440278938BFB64673F96B07F4E842459,SHA256=4BD54903486E4A6499A0CE6ED2C7F4BF88FB63627DBC9AFE77BBEF10329BABB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:21.522{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A856940D0022E356D0D4E18B0ABFEF,SHA256=BDF8DA0BDD195DDA3364D4B63F6DF07BF8FE201B597D57B25D424C4425287B40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:22.761{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B949FA1036682F5E4BC012D0F57E67,SHA256=E2B58A2FDCBB6DB6714F3F7736D7E54F4D84199C794513C2460FFA78648D4CF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:20.834{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54893-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001040217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:20.761{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52928-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001040216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:22.552{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3BE0640D59743360626F91403B30CB2,SHA256=E409F68B8CA4854E18A27A44D985373F130CE8B51170A416CF5634AAE283D201,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:19.477{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54162-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:22.229{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E52C0EE70FFAB42E80D9A2CD9ACCE8AC,SHA256=5665EB786E11A8BD0D0F5D84A583FEEC9982848E74D1E84EE7374277E632EADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:22.229{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E93A54A0373DFC7E74BC9B50F1A2BCB,SHA256=8F87BE9BF5247141B6DE13FA0279E744E0E2A5093B2EE293231C06CE57204D74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:22.468{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD81163A752B83947BB8FCA144F4F44A,SHA256=F0FA17CAFEC0A28CA75C5F1FEAD7C2CA936E3A1CBF9C69F2F46F96C59B3754D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:22.468{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15E948A0D2A2E91D7C3B834631D1177E,SHA256=800BCD9352BFB9A1148922D12BD819F6ECF5166C06D91911E48B0A7564C4EBE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:23.761{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB7421517AB1C974C9D23698590E02E,SHA256=20F35D4D9651E7DFB0FF439F190DC0549B515EAABDB5CB5B0C54FCA9E397124E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:23.598{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52AFC51FCA72041688DD9A3CC385DF7B,SHA256=A9A685FA140F204B891E5A25B17355BD1C5C859DF4FD5A15492A3F22040538FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:20.847{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58898-false10.0.1.12-8000- 23542300x8000000000000000969885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:24.761{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83B1EA06A82F8A0A37C4E0A3672BAFD5,SHA256=81F70D2CAF28BD650993E708729430875B3075EDA9D3E80E9374796B4B86F8DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:22.352{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55365-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:24.697{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25AFFC47615F4125F65885B0607F7DD6,SHA256=F3938C8F494A27364957C50FDB2F9007DB0CD901CD1DA166DA445FE07C7C1A70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:24.048{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD81163A752B83947BB8FCA144F4F44A,SHA256=F0FA17CAFEC0A28CA75C5F1FEAD7C2CA936E3A1CBF9C69F2F46F96C59B3754D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:22.935{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-56756-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:25.700{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9266F113EB048446E3B901FCE2F120A6,SHA256=080900CB099AFEEB83DA47D57C107371E8DA6240AF2B27CEAD4D58FD7CDFFE45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:25.776{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C09714AD126B8FF58CA687A96F5E402,SHA256=78248A7B33056C804A8EE7BA07399B86CAADF92758066029EFD823C9174CB829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:26.731{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3B9EA6BCCAD8ADEB3DBE5F3046B18D0,SHA256=BDC7D9D426D08643F35F9426428DD5B554D12DD6DBD96B3F440EADE54234778A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:26.886{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-815E-6151-A578-00000000FD01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:26.886{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:26.886{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:26.886{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:26.886{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:26.886{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:26.886{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:26.886{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:26.886{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:26.886{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:26.886{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-815E-6151-A578-00000000FD01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:26.886{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-815E-6151-A578-00000000FD01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:26.871{69CF5F33-815E-6151-A578-00000000FD01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000969901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:26.776{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=239F4D7C4E6E1B96FD8825C5A2472065,SHA256=C56FEFC1F9A7FAD06F9091EB27EC18A16FCA1A89263A25D8685F856D13ABFD9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:26.386{69CF5F33-815E-6151-A478-00000000FD01}37041316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:26.198{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-815E-6151-A478-00000000FD01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:26.198{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:26.198{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:26.198{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:26.198{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:26.198{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:26.198{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:26.198{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:26.198{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:26.198{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:26.198{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-815E-6151-A478-00000000FD01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:26.198{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-815E-6151-A478-00000000FD01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:26.183{69CF5F33-815E-6151-A478-00000000FD01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001040227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:25.876{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52929-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001040226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:27.752{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A337A07D0720DFF9AE697E6F7A73BCC7,SHA256=B0A805CD36B49A21D4A606354A92A4CD61A750A804C9892481BA3EFEFF0BCAFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:27.901{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=025C47DB95667734AD680C14152F92A8,SHA256=13F53FB32A2A18ACA17D417219CF5EF6366B51DDED2248FD05FC7C8E8017BF01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:27.573{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-815F-6151-A678-00000000FD01}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:27.573{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:27.573{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:27.573{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:27.573{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:27.573{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:27.573{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:27.573{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:27.573{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:27.573{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:27.573{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-815F-6151-A678-00000000FD01}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:27.557{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-815F-6151-A678-00000000FD01}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:27.558{69CF5F33-815F-6151-A678-00000000FD01}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000969916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:27.182{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E52C0EE70FFAB42E80D9A2CD9ACCE8AC,SHA256=5665EB786E11A8BD0D0F5D84A583FEEC9982848E74D1E84EE7374277E632EADF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:27.057{69CF5F33-815E-6151-A578-00000000FD01}40001440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001040228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:28.768{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F045CA6528CB6974DC8C3448767582CD,SHA256=2BFC3BD6B69910C615676F8BA4F16D4DC31CCBA11EC9E8E0FAA4A5A41DBF98C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:28.823{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8160-6151-A878-00000000FD01}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:28.823{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:28.823{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:28.823{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:28.823{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:28.823{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:28.823{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:28.823{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:28.823{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:28.823{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:28.823{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8160-6151-A878-00000000FD01}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:28.807{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8160-6151-A878-00000000FD01}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:28.808{69CF5F33-8160-6151-A878-00000000FD01}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000969945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:28.604{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89756E910D98773DDACE5108984D9D35,SHA256=E5578955E08192EDD24E828A6F18230D191C0CBE700C2DD914055155589FDC14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:28.401{69CF5F33-8160-6151-A778-00000000FD01}2324100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:28.261{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8160-6151-A778-00000000FD01}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:28.261{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:28.261{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:28.261{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:28.261{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:28.261{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:28.261{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:28.261{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:28.261{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:28.261{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:28.261{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8160-6151-A778-00000000FD01}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:28.261{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8160-6151-A778-00000000FD01}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:28.246{69CF5F33-8160-6151-A778-00000000FD01}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001040229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:29.783{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA3F17ED20BCA02E78DD94753C7B3E1C,SHA256=69516371ADB328B4B6D150C762248E8022E24B8DDDF31205513AB2BF2E2E4537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:29.792{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C8139959C064F3942F90BAE1FBAC222,SHA256=6A3261395D2BB56F31876D111788438457D4FD5CAF5A18B307846D803865BE43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:29.729{69CF5F33-8161-6151-A978-00000000FD01}35481972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000969973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:26.722{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58899-false10.0.1.12-8000- 10341000x8000000000000000969972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:29.511{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8161-6151-A978-00000000FD01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:29.511{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:29.511{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:29.511{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:29.511{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:29.511{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:29.511{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:29.511{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:29.511{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:29.511{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:29.511{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8161-6151-A978-00000000FD01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:29.511{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8161-6151-A978-00000000FD01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:29.496{69CF5F33-8161-6151-A978-00000000FD01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000969959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:29.104{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72CCED6082DDFFC90F1178A9D036DA84,SHA256=F28E25CAD71CB6C7BFF0F53735E82BD2F4C69EEC0A2120DCDBCFE6C2D4C4B20E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:27.134{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60729-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:30.339{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=355DBD1B472333C21E5969CB01BB6BC9,SHA256=E886E3947177FE26FC9AB1F9EED560D5043A8303C719E826AD14A956F38C8566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:30.984{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4268MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:30.750{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F51317724C98A180E9363120092C516,SHA256=86060858A37C1CB60ED735131EF27F51A90A92CC53ED5351A06BCD44E9F28FCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:30.749{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABC882856BFDF50239E3ECDD6CC3147D,SHA256=250D241E913A0073DA2A68D415CFFF526F3CEFFFE718E656B4025936DB2E4A9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:31.495{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA023BAE34B3528BA040E90AE683BAC,SHA256=7FFCDE3DB97AAAC2BE9AE7D111819C7F4B59E7A1211FAF8FE7B529357FDCF13D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:31.987{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4269MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:29.098{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59494-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:31.012{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C7CB7B8CC55008BA1C4DC53B2FEBC3A,SHA256=424B01318609B714C0FB43A474F71FB2ED54F1F4A56060C4E01372C259D2EE68,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:29.957{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60714-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000969982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:29.346{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62346-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:32.729{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD60A4DCEE2F2C6E91560AF0914708EB,SHA256=55B3FC00ABB93C01E66D1BE35E28834C9C3E545C8AC3589644074FEEA06FB0BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:32.101{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61E79986189AD92F12CEFB6E65E91F79,SHA256=1E9B7E7A5E4F6386B3345E9143C64947BA89C0B42728EC45EDDB92DAF7DB96D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:32.229{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4B7139C4A99F3CDD4112AA5D8D677A0E,SHA256=B2696AD784DEB17EB09C2F4F62A644073F9041A12F237864DF03B8910D191FF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:32.120{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CE2B2FAE5DCF3BB160C5B58BAC38C40,SHA256=5D7318E3866A4B0008123012D42E3F5B422AF902C1B12E7AD02F32ABAA0FF00E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:33.854{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71652D7FF2D8AB317E86CC6CC85FAE3D,SHA256=BEA9B6F8727E50B660F9C6DCC09C583E2E948ADEE21011DA30E9307CAA2714CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:31.777{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52930-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001040238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:33.156{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B9F7B2E725C4328A0DDB1AD0355A780,SHA256=63C7E3DBD29A2A803F76AB5C7C9544A4FC3A5302B865582223259F261098AAC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:33.048{5EBD8912-80DB-6151-F278-00000000FC01}60485740C:\Windows\servicing\TrustedInstaller.exe{5EBD8912-80DB-6151-F378-00000000FC01}1932C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\combase.dll+53278|C:\Windows\servicing\TrustedInstaller.exe+43a2|C:\Windows\servicing\TrustedInstaller.exe+1d1d|C:\Windows\servicing\TrustedInstaller.exe+28c6|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000969985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:34.870{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A56F8A856B17E612F6C2A47B7EB8A6E2,SHA256=744B59E4DFA30FBFAEF3F6E75BF3A3B46266B600A551C056AB591F605D548A53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:34.181{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=248E4A3099380F4CD44C61C0A00EE01D,SHA256=1DA372CE13F6816B8CD15F2867890A03D6AE16532E4DBCEF1345EC234E2A3590,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:35.886{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CB6BD1D96CD33D2E8626B891988B4E9,SHA256=EFF86B293E762927136B8B1CC1C90988EF8E78318039A9F0A111B2775BA78094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:35.664{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:35.211{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED7211CBA3551584340CE82C87CFFE1,SHA256=8AC76731291070DDC438460E85E04D7B289D4378E3A36416A32E6CA8E35B248E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:35.049{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2EE6FC356D0E74987994668C6E1C7438,SHA256=EE597A0FDDA5FA8559DA260B768E8D843A841AE839FB15FC1BDA19E73841D4D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:35.049{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7B745EE4349E85214F6EC54FDC3D936D,SHA256=998C122CC77A24E30759CD6DADA0D8CD9B43ED91867283804EDAD96037F3F602,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:32.722{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58900-false10.0.1.12-8000- 23542300x8000000000000000969988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:36.901{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB18390B9F8782CE6FFD2885F97F3EFF,SHA256=546E9BFAA33174F178F41F4F3BD5AC8CB622FCA999B0C9FEC0C62E5315B4AE77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:36.229{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE0C5F253DF11EF16D9A1759027204C9,SHA256=7C61762B184E737F8078E117C43DED723B907B56D52C81804727259F83B2AC0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:36.401{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A51E8CF02CDE45D7131814B5A1D1C3D8,SHA256=A0F98DAFC8BE02546A4A345D0A405BB9BA29BC80065DE13BDB8635641A6A2F65,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:34.360{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.24.1.102-54026-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000969991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:33.940{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de65165-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:37.901{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F376CFBE45BFC27107F0106E69D08467,SHA256=2756DEE719F860058F0DCF8747FE851919A122045F7A6DA18DF652E332A38AAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:37.263{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E735A3033D55596F02F94CE15F4137C,SHA256=4E50EFDCFAD1E3A757F2F1AF2F9AC7C4752A08BEE96D34C32112D375E0849EF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:35.604{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63498-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001040247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:35.340{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52931-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000970005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:38.917{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2218EDB646172F37EC60F476214DE8,SHA256=D31893FCCB23BEB0B2BE84DA4D4E9C552B7988D3C204B9E2C9DCDAD9597EF04C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:38.925{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=82058224BD761353B39207EEC061DCD8,SHA256=31F10CA54E98A7F243D0051181CD109D8658ED35B92E0B93B7A873017B27808F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:38.278{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=211E3CE8CAC7DFF862428E46A998BE22,SHA256=FDAA17F290E0017C7D804822C2EAAC4F11C7640B10296D38D6E0E23A8A7A276B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:38.448{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-816A-6151-AA78-00000000FD01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:38.448{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:38.448{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:38.448{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:38.448{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:38.448{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:38.448{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:38.448{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:38.448{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:38.448{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:38.448{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-816A-6151-AA78-00000000FD01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:38.448{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-816A-6151-AA78-00000000FD01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:38.433{69CF5F33-816A-6151-AA78-00000000FD01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001040252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:36.260{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63982-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:38.130{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DD4838F60B2B2B69EC990DE3EF265F4,SHA256=03D01E015CFC578C348943F28E7EE29801143903383D205B538EB5019C9F6998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:38.129{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F51317724C98A180E9363120092C516,SHA256=86060858A37C1CB60ED735131EF27F51A90A92CC53ED5351A06BCD44E9F28FCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:39.932{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5D87E0572FEC3B737A44EE163548227,SHA256=88A669A542514DDE49A9B8A5C4C8663063BAA53BAFAC86A325719FB49922D2AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:39.293{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79F22813C5377F4494CD464D33BA38B3,SHA256=8D104EC28549B7C93792AB5D21A691B6726A1E0E909B18A6495BCD2F1EBA10DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:39.667{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B75A6235523F0381ADFD0BC8F20BDC0,SHA256=2CC3339C8DF843957DE86A38B92D4E9F50A9A823FDBDB79CC4FD5A816037A2B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:40.932{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFCA16A5394116DB6644691EEEC0D2B8,SHA256=7841AC0336E4A3BE369DF66F9832DCB04CAB1F9A24E04282E8351BF8CE01D1CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:40.308{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA44B18DE26ADEFD5A448B3E53F3A395,SHA256=00A0215C3F3BCBACEA0848D8EBA046CFE333B1EE2FE4C163E2F14B31DB68B476,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:37.027{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65126-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001040256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:37.739{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52932-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000970010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:41.936{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C6B1848F1F4BFDE2CBEE32455924CA,SHA256=38199D1C74000FE905FAB9C44D48281999B904593ADFCCF257C92C2B8FB1DC7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:41.325{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F6E983252B319F72A02D66DC14E6AB,SHA256=7AB5E1AB0E1C32F2D77951EBFE4D8FF1B00197C61B2DD1F3493EB9FF97B1C944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:41.244{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DD4838F60B2B2B69EC990DE3EF265F4,SHA256=03D01E015CFC578C348943F28E7EE29801143903383D205B538EB5019C9F6998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:42.952{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F54340C9C98AB82489808841569E016,SHA256=7A30B1F490BA23289200CC46018C3F7625DDC0C87AE072A5FCCB39C15EAC04E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:42.344{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A6D277FDF6BB5BAC81C7DE86C7E001D,SHA256=311A03FB0090740CB387035A46DC3010B484A826207F5AE9B323C8A6081DC869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:43.968{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=250B9F0D077F915D1ACE558C20525B7D,SHA256=FD075F4673F8894248F18F021211F93D578D72D2F9343EF7A9720C0844B23F66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:43.346{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C75E80B1C3A49CD50F986BEA77E2A4A,SHA256=946894B75BF09BDCE38D083FE000AEDEEBC252F016198B53C5CE12C54A0EEAD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:38.722{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58901-false10.0.1.12-8000- 23542300x8000000000000000970014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:44.968{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3231F75CAC7545FBCE9F620C22E5C2FB,SHA256=77C2551F9EB9D922C3989D31E32F5A91B3C87C46D1517D9B2837FE28EA9761F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:44.408{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E5E73472B66D93D828C61641C822FFC,SHA256=571C9937ECFF0A6F337ED5ACA89131BBE1C64A70007E62D19AF32B904ECC6B29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:45.983{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8A0422638A80C1C8BDA29F0DC3499EB,SHA256=F7300BA5A882BEC7763B411BBFB247BA985FD623B5C1E6AEE451E2B560D9003E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:45.676{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8171-6151-0379-00000000FC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:45.676{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:45.676{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:45.676{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:45.676{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:45.676{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8171-6151-0379-00000000FC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:45.676{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8171-6151-0379-00000000FC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:45.661{5EBD8912-8171-6151-0379-00000000FC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001040273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:45.445{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6852ACAE42C7E230AC3A996A142066EE,SHA256=676D75320A00A42993D6133CFFFB79AEE176BE57B531BB4E95D4544F4CFC2D68,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:42.868{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52933-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001040271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:45.323{5EBD8912-8171-6151-0279-00000000FC01}52606860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:45.130{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8171-6151-0279-00000000FC01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:45.130{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:45.130{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:45.130{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:45.130{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:45.130{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8171-6151-0279-00000000FC01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:45.130{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8171-6151-0279-00000000FC01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:45.093{5EBD8912-8171-6151-0279-00000000FC01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001040291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:46.475{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32C225C91F75DFB9D907232B58F4E003,SHA256=8B8694842AA3032D1D595C24D8CCEF955CC460B84C0177436484F8A5FC762026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:46.405{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74A840C4AF68D270B1F9D68753060AB1,SHA256=F3A696AA2AFA33BB01BB0C5B519B11C0E29BED7C127B07F1F92696B82551A423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:46.405{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F684336CDC173DE0AAB05691FFF0E7D,SHA256=69FE3D4465D67C2DFA5CD586C90926491FF4F650F7C75148361320F16C66C16F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:46.275{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8172-6151-0479-00000000FC01}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:46.275{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:46.275{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:46.275{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:46.275{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:46.275{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8172-6151-0479-00000000FC01}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:46.275{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8172-6151-0479-00000000FC01}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:46.260{5EBD8912-8172-6151-0479-00000000FC01}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001040282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:46.107{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59C27E992A096C794D774337175B7AB6,SHA256=3062E21FBC89D75709EC00C889B73DB561665CD018D1834D351BFF9AE664F10D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:44.739{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58613-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:47.480{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C57D4E46EDA935D5D081CAAC0955393D,SHA256=377A1193F0B79D9723023B32F9BAF42303FB9603A7D17D9AE83A30015349D155,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:43.882{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58902-false10.0.1.12-8000- 354300x8000000000000000970019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:43.696{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52959-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:46.999{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=160C6F4A6311893DCD8898ABB0045181,SHA256=81798D92A4664A9C186D14834A6B7C6E34225E1FF8E7283B13F1E8825BA239F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:47.296{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=856FDFE39F81BDE4333FA6BBB286FA4B,SHA256=F178F72D6E6AD8E83BE07D0B12DB0A6AECA19C426F322A095884356088EB8608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:48.495{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46832FEB25BBAAB98E2759A940B7C1A1,SHA256=9087FA0A134177D003F01E6A36679C906D60545E04E9150EA98F61DB78A52696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:47.999{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76D1B17B5C34D7C44DF64F68C83D28EF,SHA256=83B2769C82F64F5293F2507CB774A7D983FBD92CF3522D77E29E9E2C307BDA31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:49.509{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ADAF60B3BA2F6046BBA239382D08291,SHA256=97AE7FC94F57CC7CC394D29967F20B4D45F2E2F78FE87E8FCA6B873ECE7E9ABF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:45.976{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54456-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:49.264{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74A840C4AF68D270B1F9D68753060AB1,SHA256=F3A696AA2AFA33BB01BB0C5B519B11C0E29BED7C127B07F1F92696B82551A423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:49.014{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8F725D572CBA3A425945ED76C44339,SHA256=2F5A6DCCCC09D44AB041E6B40D437226F6AB03A01E2047A983F0B239DD26A2B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:50.524{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7D79A11325CC94D6978BCAA6E1D2994,SHA256=F2906141D241339FBA75BF8D8EADD1CCED883466703A194ED8E80349F735CADB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:50.030{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=157AA3874CFC6AF5FBC9BF9721A323D5,SHA256=9404B85FEAE4DFE78F94A149D804372C251214A2602814C2AC16A561D50A1C51,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:48.785{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52934-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001040297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:48.113{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55002-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:51.560{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96ECDB0699A06E9AB5AE2FFA8B75C791,SHA256=84B4D61C09106C1EC57DDF06D303B67A8208F4714D03EA4CD52E05DFB55A2015,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:51.046{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=202B6B8098188DA5BD1DDC3B743BE6DF,SHA256=6BA63D1DF5A283E71C32F61FB898248B67AEB6BCD31163DD81AB9DF28599637B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:51.260{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=186D1A113CE1EA42E5B36318C08366C6,SHA256=74B61FCB5066F866AB7E46ACD680ACFE310816FD993C2335018D8371494C6FC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:52.575{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=376279F669EE6F281DF59D94973185E1,SHA256=E8465B7BD095170D442CBDB3F709621AC8DE32DB67A50A4BBEECC236A59B69ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:49.913{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58903-false10.0.1.12-8000- 23542300x8000000000000000970027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:52.046{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82536C44796501C0DEFF50DCE8936AD9,SHA256=1B3ECEFD50E6798FEB880EEDE3123A9AFC7CB4BB16CFE42EA9EB78DCF3E9B74C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:53.575{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE7D20105BBE6B56323028D0C54436B,SHA256=B8101A6CCA6B01E31EFAA9E28DF2BAAA2D943AB133774BC770A0FED35150246B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:53.780{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD120D97FBE11700EC74DFCC290DB96C,SHA256=E62B343B0CE766B114455C310CD29BCD562C86538BC2333B1D949ED814D62F91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:53.061{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41FE505727C413C98F617031E9D90062,SHA256=51E6DF8B00B5EEC814F028CF882EF3F7D273E4A4AB1968D470C0E0A070F2E69E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:54.891{5EBD8912-817A-6151-0579-00000000FC01}70964204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:54.622{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-817A-6151-0579-00000000FC01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:54.622{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:54.622{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:54.622{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:54.622{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:54.622{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-817A-6151-0579-00000000FC01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:54.622{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-817A-6151-0579-00000000FC01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:54.607{5EBD8912-817A-6151-0579-00000000FC01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001040304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:54.590{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=218D122F51A9A59D3479275C330FFEC8,SHA256=39A17D55F34B1AC73D148996B6AF578EEDE4833CCCBA239250C71205F7755AE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:54.077{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF6B2A36849609361AC9050DB2F5172,SHA256=6B1B3D6EC9A28252803555DC10BDB1749C5AD18BDD3525B2C8861C8552CE103C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:55.607{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F256894320AC1BEDF090D5D8333E89C,SHA256=8944A4E0FC7F579763E02573B0528371B47CC8FD29A39960FC69644AB1E8C1B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:55.607{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3442B4CA0A02F5D081DB6BF93EFDB8BD,SHA256=8535C7D864BAE7DD9F82267A0A76990641C16EDD3E74251B444DD6A3F90EF8A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:52.412{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-49518-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:55.218{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67EA4F7323C504C75046CB42E6B5BF0F,SHA256=3E03FD80F4E641B95700E19E611A97972E2A0EC491D355BA2C2B285A3AF0678E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:55.093{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CCF812F42B2FA452CCB4E3511E69D84,SHA256=596CCDBCFB1DEBAF7313FBB8DBCF1B0AC4A2DC09A476BB2A1B7E90F86A075047,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:55.460{5EBD8912-817B-6151-0679-00000000FC01}57606748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:55.307{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-817B-6151-0679-00000000FC01}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:55.307{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:55.307{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:55.307{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:55.307{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:55.307{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-817B-6151-0679-00000000FC01}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:55.307{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-817B-6151-0679-00000000FC01}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:55.293{5EBD8912-817B-6151-0679-00000000FC01}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000970032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:51.098{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63887-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001040344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:56.991{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE13636A0782E7BFE37CD453A48559D2,SHA256=1445F83B70448D3D7C91E7BD6805FA675E1091A5E8BA47F9C9E1440FFBA53DB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:56.706{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-817C-6151-0879-00000000FC01}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:56.706{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:56.706{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:56.706{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:56.706{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:56.706{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-817C-6151-0879-00000000FC01}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:56.706{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-817C-6151-0879-00000000FC01}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:56.691{5EBD8912-817C-6151-0879-00000000FC01}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001040335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:56.690{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEC84F24951F08660BE335A5739AEB38,SHA256=8E9933267312A3BF60685D90E406B2C6FA186378ED7A0487841FFD076ACD1C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:56.093{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC591D014EF1F046C5E3D354210FF3C7,SHA256=A7F4CA4B0D7E8584DBD8BBB42071F177B04C953F33A328345413E3313B119D0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:54.730{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52935-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001040333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:56.159{5EBD8912-817B-6151-0779-00000000FC01}61526424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:56.006{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-817B-6151-0779-00000000FC01}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:56.006{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:56.006{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:56.006{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:56.006{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:56.006{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-817B-6151-0779-00000000FC01}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:56.006{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-817B-6151-0779-00000000FC01}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:55.991{5EBD8912-817B-6151-0779-00000000FC01}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001040346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:57.706{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE89CFF40F556AC8067D8E50F49A2D4C,SHA256=08B9C2EDFCF6DE02653138981C2896327B26FDD086FE1948D8BB3D87D3C7F9B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:55.722{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com52248-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000970037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:57.108{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8DAD22418B8B8625FFB081CC848C5FF,SHA256=67B36CAB52E6CB284989FD1240B0A1736A4D24B1C9432903D7051710B78D4BA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:58.721{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5858D29E6B9224A053AD7A41541CD41,SHA256=D67151D50987CE353668AB5EE15A293B0D996DA1E674A4B415D58E978F23F192,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:55.898{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58904-false10.0.1.12-8000- 23542300x8000000000000000970038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:58.124{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F059975AC0FBE4E407ACFBE7A4265465,SHA256=5DE9B4DB6F37F6AA40FE9C89E6C6B297FDBA680499BBAFAB0E8B1DC5B1747DB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:59.740{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD24DE84FFF63A85C05B7D222C04372D,SHA256=CB9B678FA266D49A6401EA80FB2DF930E11EFC3FADBC9C1AACD615DAF27AE484,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000970050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:31:59.780{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000970049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:31:59.780{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fa9b8d4) 13241300x8000000000000000970048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:31:59.780{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b371-0xc13e0a6f) 13241300x8000000000000000970047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:31:59.780{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37a-0x2302726f) 13241300x8000000000000000970046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:31:59.780{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b382-0x84c6da6f) 13241300x8000000000000000970045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:31:59.780{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000970044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:31:59.780{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fa9b8d4) 13241300x8000000000000000970043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:31:59.780{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b371-0xc13e0a6f) 13241300x8000000000000000970042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:31:59.780{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37a-0x2302726f) 13241300x8000000000000000970041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:31:59.780{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b382-0x84c6da6f) 23542300x8000000000000000970040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:59.140{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=959A432844F0C913B5F6C5221B51B42A,SHA256=F67DD378B94F367A6A7165BA041047021B7F5BD33D220C8A9AC6FFB0FCCFE91F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:57.401{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60629-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:59.489{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35F8A85A9EB1CE867FDB5FA6F5A4A4DF,SHA256=F08C8E043655453558F3B5AD7B21119844737656DD04EC9D7C696D802001E444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:00.859{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B575316E82437F03128C4711EF1376A4,SHA256=630F7CD75CF89F340882E9F51E0534CDF6A77829A8631065BECDAE33E84A6CE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:00.155{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=958C76CD3217619B3F6745F893FFF94B,SHA256=90B74E93CEE95200A56AA112A3D7FC6668E2D154D16BBB7EE08FFBA60AD5EAB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:01.155{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22319EF4FE5504757940BFADE6D05027,SHA256=8CC3BD7C8A4E937472E5F357F822F578165241E888D3E05F832C1A2DDE4C83D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:01.820{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D0CE94A884409CDC85A4D81533FB993,SHA256=5096693E06174DAF224A65C2AB8D1A60A00277E4294BBAB24A9581DA93C5F092,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:00.199{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-55197-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001040352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:31:59.950{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52936-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000970056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:02.386{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=096450BD0D23AF17EF9DFDED9D0A0C97,SHA256=E0F14CE562724A8CD061931A500C9C37F0CDB8A0D46766D87A70DDF7A4901E00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:02.386{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87BEFA59456A25C2F5A9E7E79F7B793B,SHA256=9C94519BFB115BAC5BD75082AB23AF580A3332466ABB743726560C94491DBF07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:02.168{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3118DF5C15075DDA69678F099678DDCC,SHA256=8BE573B8B7423BBB443F4EE951C2A8D000DDCC163136CC3664E09B60FED7CCBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:02.020{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC4A2917F9A4BC99D33ACB3A220C6C96,SHA256=8C113B118D55081C1BF0081A2CA6520889740A34E65D5B02DE2AB624AE85DE6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:31:58.908{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62145-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:03.183{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C92D89FB2CB80E963AD065BF35D11DC9,SHA256=481B0CE2169803E7DFC0E5323A37B990D820F438B45A55D1553209DCB2CF2201,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:03.037{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=905D705AD946C05988B3D53379DC05FC,SHA256=2317017843121E7B159783818949064D7362A7B9AD3CF9E5A390706DC7541805,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:02.494{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57107-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:04.104{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53A99B8E1C0299979F93F9237546AF04,SHA256=BB31A13D8849D6812971F8DBB89C53C23D208D8372A38BA9E50BE6CA797D3492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:04.057{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=881AD0040EB580CD6BDA7328E9E4568C,SHA256=D3D9D1B5ED471312F8F4CF0F7DF6BE8104EEB639D850F807B1A2FC0A8265161F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:04.191{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EE41C64D94F5A1C920002A3F520D2B2,SHA256=507291977F125B133CE3648422F100B49B6C09A32D1324ECEBE2963A93081B5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:04.062{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4269MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:03.581{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de57187-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:05.073{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50595567E2EE47876B157BB1F184A0EB,SHA256=2CA044AC6AEB393F1233931F8FEEFD27BF88D8AA2ADB7733781C50834BD23F7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:01.691{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58905-false10.0.1.12-8000- 23542300x8000000000000000970061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:05.204{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88CD3A1C5EDCDB0DBBB9390EE63F26DD,SHA256=31ECE4081FF003C7B4442ECE31341D2DAA3CA8213063EC48855F839389F34A05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:05.067{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4270MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.987{69CF5F33-7F28-614D-1600-00000000FD01}1216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RFfa9d4f7.TMPMD5=DDF895DFD7609D2984E991D211E0E0B2,SHA256=EF418A554FC9017CBC0EE9F9544D7E6FAB35C8C89BC16E3A35EFBC52D0429B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.940{69CF5F33-7F28-614D-1600-00000000FD01}1216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RFfa9d4c8.TMPMD5=EB057298E7A7044B9778E9899E3A057C,SHA256=9CEE75DA80DFE217D30F4BB3A95423687B86F553DFBEC043C21518F4621FC9B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.878{69CF5F33-7F28-614D-1600-00000000FD01}1216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RFfa9d48a.TMPMD5=7B31CECF52DEEC7910C14BA5FF5E1860,SHA256=828D9F617F1B776652B8E3B8DE7FC69BE0CFE2E519EB7486B8BE33D1226EA40C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.581{69CF5F33-7F28-614D-1400-00000000FD01}3681336C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1600-00000000FD01}1216C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.503{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1600-00000000FD01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.503{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1600-00000000FD01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.503{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1600-00000000FD01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.503{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1600-00000000FD01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.503{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1600-00000000FD01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.503{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1600-00000000FD01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.441{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000970091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.441{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1600-00000000FD01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.441{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1600-00000000FD01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.441{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1600-00000000FD01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.441{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1600-00000000FD01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.441{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1600-00000000FD01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.441{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1600-00000000FD01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000970085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.441{69CF5F33-7F28-614D-1600-00000000FD01}1216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RFfa9d2d4.TMPMD5=D96DF212C03605BDE8A3198E05C5F414,SHA256=B6DECCC20CA981E29A54EF9670727C2B4B7B3DCE3CC64C65A80F9281F52F9584,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.394{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1600-00000000FD01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.379{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1600-00000000FD01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.362{69CF5F33-7F28-614D-1600-00000000FD01}12161088C:\Windows\system32\svchost.exe{69CF5F33-8186-6151-AB78-00000000FD01}3484C:\Windows\system32\usoclient.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\usocore.dll+210d2|c:\windows\system32\usocore.dll+15924|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000970081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.315{69CF5F33-7F28-614D-1600-00000000FD01}1216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=0CFC1AF390A9B326F73174103BBCB6A8,SHA256=B3B319E852C64AFBB315FB08DB086C960625344EC8B64337600963213C27BD0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.315{69CF5F33-7F28-614D-1400-00000000FD01}3681336C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.300{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-8186-6151-AB78-00000000FD01}3484C:\Windows\system32\usoclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.268{69CF5F33-8186-6151-AC78-00000000FD01}4052712C:\Windows\system32\conhost.exe{69CF5F33-8186-6151-AB78-00000000FD01}3484C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.268{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8186-6151-AC78-00000000FD01}4052C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000970076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.268{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.268{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.268{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.268{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.268{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.268{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.268{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.268{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.268{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.268{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8186-6151-AB78-00000000FD01}3484C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000970066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.268{69CF5F33-7F28-614D-1600-00000000FD01}12161088C:\Windows\system32\svchost.exe{69CF5F33-8186-6151-AB78-00000000FD01}3484C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.253{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1600-00000000FD01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.253{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1600-00000000FD01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000970063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.206{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68679130577C06BB2D336D77C9DF6FF4,SHA256=F9B2AC2E1D810E2149840902FA8396E2D3F10C6C90B29E650D6840AA98471D68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:06.757{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12B9B278B109E176358695568B197679,SHA256=04E62B288769ED14241793F41A11BF08AC9EBED3C5FA21E70E5D618A1EE0F2C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:06.158{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89BF9854A6BDABAE1735588EF1696024,SHA256=4B4FB7C151DF0ACAC487294D2B7206E2B2AD3CB6F731128C7EBF514948B48C57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:07.581{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2B6E843391C39A46BB2A97F8B185C3B0,SHA256=7EB05656D353CD919E9F746067EF98F748BA37EE1E42C13A68B489F2FB01D80C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:07.581{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=261EC00613DD2E51FDC5C98B154E5DB7,SHA256=700D29C5426AE50E63ED96C4552E74D425ECFECA4D77998130CE3E7D5384EE11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:07.581{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50B74F46D44440B426FCD0120E38A715,SHA256=0A3B5CB434D09DAEA4A292D83B252EFCEB16303A0AB0A1B37D8CDBE10DB3FECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:07.581{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A019AA4A937636DF16B94F9D0040E7C9,SHA256=53839F7278AA91E1AFB05848A0983ACC6674220FA25CF2A11861C5692B06A8E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:07.581{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=096450BD0D23AF17EF9DFDED9D0A0C97,SHA256=E0F14CE562724A8CD061931A500C9C37F0CDB8A0D46766D87A70DDF7A4901E00,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:06.223{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-55124- 354300x80000000000000001040365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:05.896{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52937-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001040364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:07.172{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D6D5C6DE0AF2219EE5715453A4B0A36,SHA256=76E103158C68E141E22EFFE5B2911A22EA0BC928C7A4BEE901D07DED6149805D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:08.628{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23ACEC9DA39B1F41B91223C8916BA150,SHA256=D695D6937B8905B84CB7D57BB218F4D9149AC195AC1D0C0A056309D36587EAB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:06.458{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-63909- 23542300x80000000000000001040368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:08.904{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEC67B89E7E8B029294B903435785D78,SHA256=1D0F3CACC3234F9B31953109BE5A2A4A1ED2D392D7935235E28164DE58D51A8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:08.188{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3099A2CD2BBD191CACB234113FB5F59E,SHA256=6FDFD6C1AD0DA1F6935F315837C5A449A0A80628FA9D8EB77F79B128D12FD407,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:05.193{69CF5F33-7F28-614D-1600-00000000FD01}1216C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58906-false40.126.31.6-443https 354300x8000000000000000970109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:05.183{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49737-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000970108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:04.436{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse110.10.193.201-60841-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:09.754{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E64510AA0CF8BCBCFEC4AC038F9B11E,SHA256=98AB70217CDA91D035695159FC8EF4EC3AA9417AF50465443A810AD6088EAA85,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:07.941{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-54395- 354300x80000000000000001040371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:07.151{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50364-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:09.188{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF63B3E2FBFB5D7BD00806B0552CF56,SHA256=A5E2F35FC1DFC26791EAA1625CB3645F599D7C32B02E8E5B9E30FB5DCDB5BCBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:05.414{69CF5F33-7F28-614D-1600-00000000FD01}1216C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58907-false51.124.78.146-443https 23542300x8000000000000000970112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:09.237{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=261EC00613DD2E51FDC5C98B154E5DB7,SHA256=700D29C5426AE50E63ED96C4552E74D425ECFECA4D77998130CE3E7D5384EE11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:10.768{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F3B828FB408DDBA504ECA19CE1629F,SHA256=7E5D3D82A1D556F3B9D541734062A457AC2C750D91250866B5314A20BDA5D043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:10.238{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F6CDB7C59A8C2AFCB3F14A0297883AF,SHA256=815C4F651B291ACE7B1029C390E97C5E647E80BAFDA0C91A13EBE4C41C9A4BF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.886{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58908-false10.0.1.12-8000- 354300x8000000000000000970115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:06.546{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60971-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:11.815{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBD5CFDD74724B8987DBD15398241B03,SHA256=0F6D08BE7D52957F2F8BA326E72290A91B6EFB7026AA695291006660F3653A66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:11.255{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37BF45DE761A7451B00965ED0BCF2ED,SHA256=75A81C2F74C6D8A92EEDB3F8607BD0363C616A9278FC267B4EEE41337748C6B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:11.596{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0BD3E193C42B99391E73A344695E322,SHA256=BED25784046B2EB515BB65535A5CC9F51A37362D001EBFFA10764213014E4340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:12.286{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACD43AB0E0ABA2FC11F7D5BE54917497,SHA256=33CD81B94517B9C1876BC106DDE3F3435173E0721D67939E53217B7B9CEC2EF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:12.815{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:08.895{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62696-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 13241300x80000000000000001040392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:32:13.516{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001040391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:32:13.516{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fa9f291) 13241300x80000000000000001040390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:32:13.516{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b371-0xc9f1d5e5) 13241300x80000000000000001040389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:32:13.516{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37a-0x2bb63de5) 13241300x80000000000000001040388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:32:13.516{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b382-0x8d7aa5e5) 13241300x80000000000000001040387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:32:13.516{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001040386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:32:13.516{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fa9f291) 13241300x80000000000000001040385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:32:13.516{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b371-0xc9f1d5e5) 13241300x80000000000000001040384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:32:13.516{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37a-0x2bb63de5) 13241300x80000000000000001040383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:32:13.516{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b382-0x8d7aa5e5) 23542300x80000000000000001040382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:13.353{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D42546525D501010EC1A33CFCDB86A1,SHA256=57AEFEB8B1F3771407F7B16A49CEB33396053D81ED3599B06A805EA24917A9A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:13.050{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D5862A342633205E10F308636F2A5D8,SHA256=296C07CFF7A2C4C27B55EDB6BC178ED35FF59B9DAA93032DB21196C498379042,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001040381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:32:13.200{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x80000000000000001040380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:32:13.200{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x80000000000000001040379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:32:13.200{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x80000000000000001040378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:32:13.200{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d7b37a-0x2bbe87f7) 13241300x80000000000000001040377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:32:13.200{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x80000000000000001040376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:32:13.200{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 10341000x80000000000000001040431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.437{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.437{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.437{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.437{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.437{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.437{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.437{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.437{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.437{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.436{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.436{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.434{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.434{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.434{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.434{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.434{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.434{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.434{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.434{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.434{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.434{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.434{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.434{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.434{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.434{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.433{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.433{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.433{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.431{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.431{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.431{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.431{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.431{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.431{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1100-00000000FC01}404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.430{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1100-00000000FC01}404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001040396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.384{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EBA84BE9128B0968D949BB3C1F8A630D,SHA256=6ACE3AD42FF70BC11946C0EEDBE7579651D33839B4989D6165BAB838D1E3B3EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.384{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2EE6FC356D0E74987994668C6E1C7438,SHA256=EE597A0FDDA5FA8559DA260B768E8D843A841AE839FB15FC1BDA19E73841D4D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.368{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E01A00D719A81F7DE795360F3B126598,SHA256=7C8FB9C7AF010574D62FB06AED25DC6B449A1E42EAE9E54BABC2FAE9074716D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:11.464{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58909-false10.0.1.12-8089- 23542300x8000000000000000970123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:14.268{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=644A68CC5DC6D71C0D9B23C893497D27,SHA256=834744A09CDF0DA618B044E654E56C4198D658105FF508233B8EF779C4AC71CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:11.824{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52938-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001040433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:15.883{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=167931DC203AF50032ECBC205C6F8599,SHA256=7AE68E84B583051D5C5D093D7B673D51D722B884B40386201E070BDA3ABC40B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:15.284{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB1458D3F13D8ECF523A87622C24AB9F,SHA256=48215AB7409D5A9DD42A6739D598D398794D247D8472E764B7665CA38D79F8F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:15.052{5EBD8912-7F30-614D-0D00-00000000FC01}8886076C:\Windows\system32\svchost.exe{5EBD8912-79BE-6151-D877-00000000FC01}5020C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001040440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:16.897{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19BAD2B8C219B89037175471F06CBC2C,SHA256=69D85616EB3AD7DA533487660F74FABE6702B6708D92F6A63507947CF3295127,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:12.839{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58910-false10.0.1.12-8000- 23542300x8000000000000000970126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:16.284{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=814103FBEC6A93372D8BE1A981980E50,SHA256=7A443BE196F5C5199FD82A1DD4149648AF553FEA6988962A7E7946AD3784D4B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:16.451{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001040438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:16.451{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001040437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:16.451{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFfa9fdfb.TMPMD5=A17B66D50B2357EACCE2ED2DF6BB26CA,SHA256=94B227138FA3BBDC703334C2B58C4ADB8CAEEC359A8FC16A5D99B6841C804924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:16.398{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0619343FF19F95B4E64ABDBB8681FA4,SHA256=5CEA0EC101B0C457674E3A373A9E40D44B02E47853BD0A956BC247C0F2363618,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:16.398{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F5D6DDA4020A6C2D1D031DAC36798BF,SHA256=6EE589EDC5D18BF79EC7AEB8F55EA80B9FC89166CF17E1BF265A22C229DF1BDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:14.678{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55045-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:17.912{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27FEDD708AF7A25CC1D605F3391C98D3,SHA256=990C45E742D69317103015A0CB9852847A81FBFF5AFE8C8C7304FA30B8042C7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:17.878{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE8A1A381430086DACB44F57CB0E05F0,SHA256=3965B1D3EB406CB4A09CCFDBF6DE65598AD9E6001621FD12BF7932A9FC0B6D3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:17.878{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E53DD51C0788FECC5119066D2A941F6B,SHA256=868465A12EB034E8C9AA79BF0DAD4835E41CD479D168145F72A6F2933AE5520C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:17.300{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71413BD9AE3B9473552A21BE4D9184A9,SHA256=7470DF6609B56DC101CE7908F054E8FBC9693E36944582506AEBD9513F3E606D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:18.949{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D706BE77925B634430422FA5295453F3,SHA256=B338B7D350ED22992C7D81734DE306F23CA91134DC7059406EFEFB82650D92CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:18.315{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44ABA951BB1357891D85DB27C751FF5F,SHA256=9DF710046783918AF3D06A2975B11A5E3994AB4D911BE3971F84785C52D0F7FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:15.644{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52939-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001040442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:15.643{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52939-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x8000000000000000970131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:14.964{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55920-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001040445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:19.979{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D91570A4F6FBC6DD96A07017A90F3A11,SHA256=59A446A4A40622AD5C975841D96D60E7AC69071312250181B1B053D9CAFC52DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:19.331{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8047E685889CA9D0A30946B7DB4A4EDD,SHA256=7440E61FB1036F2B501B72947151D76922DD3CE5F8192691113149528007B046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:20.994{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1CA7E3B2BE6069D2C97D19F2698A1BA,SHA256=C2305013EA69F53A2ACC3B595DEFFF8943684D1C87AB27E99B6ABDB99AAED517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:20.346{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A917D208246553473A62F002A1C8CE71,SHA256=1920C43357723D5D5B782A21DDC27592D3AC5F7B1D128A5E911A8E97B4A944EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:17.823{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52940-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000970135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:21.378{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8914ED2046DE3C4A5B44DCC63F8675E6,SHA256=D6521F26F08EBA12528900F8037D417EB28B861EBCE92E1A5210882AB815AB6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:22.387{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01E5EEDC8E0806B76AE1C13B4BAE2DE4,SHA256=092B04A305C61E86A8B96FADD69E31ED5BD02D6BF1CE3470456D42718F83DF08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:22.009{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFFAC9F7D8D9BCC4BDFF55B7ED7431C2,SHA256=DAE62E595060615EB2C3E22F531C061D8030C9D2A4964F44E31FBA2657B7D114,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:19.122{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de50409-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000970136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:18.823{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58911-false10.0.1.12-8000- 23542300x8000000000000000970139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:23.434{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=743AC64C0F1330DC90BE9971CC944997,SHA256=94C0AA137D4BD6B2F7532103B76DC5A77BD189A5AC5949D6360B41C2E47E2F43,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:21.326{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59241-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:23.228{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3599778CF8C52B056CC9CF2DAE0576C3,SHA256=4380D0A2ACBC8273527874D14190276C6285B1E72261F0EE01353D91BE54A12B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:23.226{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0619343FF19F95B4E64ABDBB8681FA4,SHA256=5CEA0EC101B0C457674E3A373A9E40D44B02E47853BD0A956BC247C0F2363618,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:23.027{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FB5B89C3ACDB33466B3F9CA46B781FC,SHA256=A7ADEC424587978C008867B90167C0AEEAECF48D022AB0F5713BE093EEF59B84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:24.434{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B6BAC26A5968B993BEDB8E6D8831983,SHA256=678E7E31D877AAF0156024CABE6691261A30E9498107A71271C17FE81A2175B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:24.045{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91506350E3B6A77891605646D5A77B3D,SHA256=8292FB635CECB4D26DBDB6BCF83D3D5AC165F61DD6E5F9C0246E5C4A19F8AFEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:24.372{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03A66D75C0C8DDDC998826F8268E9157,SHA256=04CBBE3B8E147DCB74CA2F9BDFB348B2A2072FE2F36DB14451A59F163E6603E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:24.372{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE8A1A381430086DACB44F57CB0E05F0,SHA256=3965B1D3EB406CB4A09CCFDBF6DE65598AD9E6001621FD12BF7932A9FC0B6D3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:25.653{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA42A0D0B08867202E788570EC28F60C,SHA256=D7BC80B348DE25CBA4E7464A58898ABE5B38CC7E09E2F5AEAB1644329F27F8CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:25.653{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03A66D75C0C8DDDC998826F8268E9157,SHA256=04CBBE3B8E147DCB74CA2F9BDFB348B2A2072FE2F36DB14451A59F163E6603E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:25.744{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3599778CF8C52B056CC9CF2DAE0576C3,SHA256=4380D0A2ACBC8273527874D14190276C6285B1E72261F0EE01353D91BE54A12B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:23.736{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52941-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001040454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:25.145{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=655E8108C56D4E09A06BFE7F36D1F111,SHA256=1F96F5576A121816351C4BD6C9DCA56223535585B746FE120AA892C0A1B0DC2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:22.569{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60615-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000970173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:26.887{69CF5F33-819A-6151-AE78-00000000FD01}1361428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001040458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:24.127{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58768-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:26.175{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B5C1EFC6DABCB5B09061FB2E686EAD,SHA256=AEEC5CBED9558CD832B907DED7E9620C181231A6F907143EB32033663762517A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:26.716{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-819A-6151-AE78-00000000FD01}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:26.716{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:26.716{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:26.716{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:26.716{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:26.716{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:26.716{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:26.716{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:26.716{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:26.716{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:26.716{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-819A-6151-AE78-00000000FD01}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000970161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:26.716{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-819A-6151-AE78-00000000FD01}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000970160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:26.701{69CF5F33-819A-6151-AE78-00000000FD01}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000970159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:26.434{69CF5F33-819A-6151-AD78-00000000FD01}31361236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:26.200{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-819A-6151-AD78-00000000FD01}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:26.200{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:26.200{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:26.200{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:26.200{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:26.200{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:26.200{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:26.200{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:26.200{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:26.200{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:26.200{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-819A-6151-AD78-00000000FD01}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000970147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:26.200{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-819A-6151-AD78-00000000FD01}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000970146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:26.185{69CF5F33-819A-6151-AD78-00000000FD01}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000970188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:27.403{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-819B-6151-AF78-00000000FD01}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:27.403{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:27.403{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:27.403{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:27.403{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:27.403{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:27.403{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:27.403{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:27.403{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:27.403{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:27.403{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-819B-6151-AF78-00000000FD01}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000970177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:27.403{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-819B-6151-AF78-00000000FD01}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000970176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:27.388{69CF5F33-819B-6151-AF78-00000000FD01}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000970175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:27.372{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E111A8A32641E99783EF93B0C047139F,SHA256=B472E387911EA4B3820C070BA97F1A7E56C0BBBFF49FD7FBACD73B902E33914F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:27.122{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7243696BED6F07D19BE7DEBFEF4DDEA1,SHA256=039DE91E5310D5BB671CDF72F52EFA69C068B996EC4CD0709CD7D0C70E9C6DDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:27.224{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8A22405E77CFA30503236F151B8782B,SHA256=E1FF080CBB4D5C181B8D9914A859A7E622DDA105DA091B7AA4D5D482AB901525,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:24.708{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58912-false10.0.1.12-8000- 10341000x8000000000000000970217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:28.639{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-819C-6151-B178-00000000FD01}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:28.639{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:28.639{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:28.639{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:28.639{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:28.639{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:28.639{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:28.639{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:28.639{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:28.639{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:28.639{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-819C-6151-B178-00000000FD01}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000970206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:28.639{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-819C-6151-B178-00000000FD01}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000970205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:28.625{69CF5F33-819C-6151-B178-00000000FD01}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000970204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:28.622{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CF84F471F304B4208965269DE539FC3,SHA256=BA3AE399190891EEFBE731F19DC91F627F5CA72D94A0DE68D56CFE49E61232CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:28.622{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68FB5E052A729E757FC5E0654E64AE1D,SHA256=BF029F6B0222F79597B3B6BD66BAD8015DBB7A353A4B87CB5ADA840065D142DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:28.325{69CF5F33-819C-6151-B078-00000000FD01}15163476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001040460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:28.260{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0482ADFC500F56F309E9870640799D3,SHA256=025EACB191C6D5A95F8779F4717A957F75F5621B32077F3455B998D698023D49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:28.091{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-819C-6151-B078-00000000FD01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:28.091{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:28.091{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:28.091{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:28.091{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:28.091{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:28.091{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:28.091{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:28.091{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:28.075{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-819C-6151-B078-00000000FD01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000970191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:28.075{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:28.075{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-819C-6151-B078-00000000FD01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000970189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:28.076{69CF5F33-819C-6151-B078-00000000FD01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000970234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:29.794{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7F0357D48A9E5807B8BD1B97D916AE1,SHA256=B30CBCD57FBFC50B4EFD20AE7824E44CEB42B38C880E0B3F4942C7AE6EDD8FE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:29.794{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=167A7DEDA001F742E75C5B253CEAAC78,SHA256=7E1E30F600058BD1D6E4608E391632458242DBE2DDA3CEFBB17D982E2919F0BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:29.512{69CF5F33-819D-6151-B278-00000000FD01}36603052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001040461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:29.276{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61DE3F934C7B59520B93B22263E7718B,SHA256=B4A1781B15967083E9A0869F18AA5B85BC9EDEA47DDDB79FB34499149DA79549,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:29.325{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-819D-6151-B278-00000000FD01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:29.325{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:29.325{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:29.325{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:29.325{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:29.325{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:29.325{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:29.325{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:29.325{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:29.325{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:29.325{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-819D-6151-B278-00000000FD01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000970220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:29.325{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-819D-6151-B278-00000000FD01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000970219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:29.310{69CF5F33-819D-6151-B278-00000000FD01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001040462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:30.307{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFCC3D66A88AFB135C626CDFEA85B052,SHA256=AAD1E4AACECADB9567A1BE6C28D506866145C5B770B843DFAB1AC7E8597DE338,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:30.528{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4578041AC4BE2C991143F7335682D6D2,SHA256=FD7DE3CD588D39B7B3514093281039D7AA54412112A34CF8A3F13EAD5BBA24B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:31.841{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B15BF9A4759B9EE8186F318104E7444,SHA256=39DB6A9F92F518761417DE589BBB6F923828A98B765E12090D5F2F9ECF0E16CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:31.544{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=715588C3CA524BE3196A67645BEA103B,SHA256=A350B893B0BBA9BC3F3FC7B61CBC944CC9D625489B3B8F5D7B6844FB23CCDB16,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:29.736{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52942-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001040463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:31.326{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BA9111ADA02F99424586E26ACE1DB69,SHA256=4639396F3ACE3DDA4D435B6566D1A25BD0053AC9B36C327861022213100A095D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:29.040{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64887-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:32.575{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=035D5D99824F37ED7E9C12CD8EB5D6B2,SHA256=E5330C3588DCDB14A0B1483D071D0220A04778E534309AA1DBFF970D39ED1908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:32.508{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4269MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:30.307{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com14183-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:32.344{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D716B6A01A349353944F1CC6A34A06A,SHA256=B9C682DE9B3E4C5306D627589834E79A64AF181227A87B50371DF9270BD62B96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:32.231{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E7CC6462E5BEB3ACC0554A0351AE1409,SHA256=8F191F0C4B87D9622EAF8AD5D6330A3BE400BAC65C5F0D672F5AEE6F1A6E441E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:32.244{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E965BF833418D0428C29B2F61FB0AE91,SHA256=17DFDDAB996971ED01C58C9EA7AEE1ADA744F2F8A86DCE8314DAAA1A652347E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:32.244{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F2DD42C8632E60347F6ED8329F1FE7C,SHA256=B95C19D3BB7D2398A40A25629AFE31AE21161EA267B2D40DA87679C0ED4EC68B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:29.864{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58913-false10.0.1.12-8000- 354300x8000000000000000970243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:29.505{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com14744-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:33.606{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA0DAEF60945DC5359FDBED76B7D1ED4,SHA256=E915269295F93CA48B16C6D4AEADF90A4C66A865F03B642CCE3584848E428862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:33.523{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4270MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:33.359{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F2BD906FC2833B161110942F93A7AB1,SHA256=8D2C49F8DBD992931993ED9C024024FBFA861EFE7431016C68D4065950D42C11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:33.356{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55D5275DE1DB393DFF2817C04C30046F,SHA256=0731FC6DFD4C029697C39D4AE396C82E4D1E5C5EA514D6ACEE33E4D414FCB39C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:30.634{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64100-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:34.653{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B602DD5167B0D84D7ADFFA3E663C1883,SHA256=6ECED8AA01E200AB6E9249816434ADCBF4DF339C13C8EA60420A72E206957C1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:32.924{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50358-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:34.374{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB97FEDDC2585C411BF4A56111F07EAA,SHA256=F09ECD1CD5DC214792924410B8786695D652003911C6E3BC54A7FD5BF2E4B08F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:35.653{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C530D2E052473F32A44D9861E49374A8,SHA256=949856E32D3E5C1E8FBCC0D20A0FC94358550139C2405CBABC276A9C6160286D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:35.689{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:35.405{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3803B42CD00D95B7BF483B805DF4020,SHA256=86F5D3C45FE4C4C17FDDF6AFC375C549EED74B171D2EA31CD9725423869E5D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:35.205{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E965BF833418D0428C29B2F61FB0AE91,SHA256=17DFDDAB996971ED01C58C9EA7AEE1ADA744F2F8A86DCE8314DAAA1A652347E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:36.872{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB0C36530BA516B2773D514FE80E665B,SHA256=2CF99FE0D82E44A1D06DDE1FAA296A5110C99D16306CB0015528BE20797F4329,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:34.896{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52943-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001040477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:36.423{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABD9A6AC14472407A1FA36672C8BC6A0,SHA256=6F4C9237E0F45282132FAB238C19B7939DBFFA4B82338DC713D4809CF6DEAA02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:37.934{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9C55BA95ED0D262F15656E06180942D,SHA256=24007300ED07935E51E9562D9BDAC51CD82A3CF9764C76C27F0396BF9A571CF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:35.365{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52944-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001040479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:37.441{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C2CA811BD2D19C7DFB2FECF46A300B,SHA256=AA727FE592FC416E61E466F1A227F6F00A115E6DECDB8A9F50EA7A1B0FBF67E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:38.940{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=99145B628C7CB933E587A93DC93738FD,SHA256=3A0DF1E2EA2C48304493EB5B908D848AC9E5FF378790A12035A91A55931EAF7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:38.540{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=631FE30BC4CAA1438B09457E365B8D07,SHA256=799E3421BB21AE1C5B93E5F436903878C613533F258DD0702FF540B1BF5A6528,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:38.450{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-81A6-6151-B378-00000000FD01}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:38.450{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:38.450{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:38.450{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:38.450{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:38.450{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:38.450{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:38.450{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:38.450{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:38.450{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:38.450{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-81A6-6151-B378-00000000FD01}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000970251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:38.450{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-81A6-6151-B378-00000000FD01}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000970250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:38.436{69CF5F33-81A6-6151-B378-00000000FD01}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000970266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:39.684{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A917913A78F0072542FA7718B54A716C,SHA256=39EEA733C176E75F3C2D9C15FE4C795A4708B6A093CF53F9442528EC3CBCB54A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:39.684{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA161D54B2BC64E3EADDB242FC21E04D,SHA256=E2ACE2970A70EA6D7E41B4A4344A23CA6B4DF32031433ED94552635BA581847B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:39.153{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9018013A732120268DF9A2B8433C6BE,SHA256=0713BAEFED2B1D6E172BAC3E9E1FFE23A95F59083AA99C70A3558504A443EFB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:39.571{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC40C709DBEA901CA47BF7728CFAC70,SHA256=6AF23452DE94B622A34CB3E74D4C614B7614EDD03064A1FDD0D94C6A3CED28B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:35.880{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58914-false10.0.1.12-8000- 23542300x80000000000000001040484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:40.586{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E193957D45EB1C4228E74AF76EE106EC,SHA256=F20EC85707BCFB5631BFB11F9764BFAAFDDC66A5883307EC82CDFC2582E11E97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:40.387{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA731AC030B32889F3714F26FE2220E7,SHA256=024D4E51C407E3E50B2E4CF6705CCEA06E770084AC12CCB5E799B6ABC06F6126,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:41.702{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=740B5A926DC61F88010064AC13FA5FA6,SHA256=FF89219FF76C18A30CB2EF875FEF482854B3C494C174F18DFA6C068D6C6E642C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:41.702{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B3F9B8838859173D36D6079C0D1592B,SHA256=9E88E9D1EC2BA399372239ED38A01EE93B1B169A6F018F3D16971103AD993D76,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:40.063{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-55692-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:41.602{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B2A009FE4DD5FCEFA889AACB5D7ABF,SHA256=BC9CD94D408D0FAF652C70D9EBC0EA76EABA24563DEE448E43475AB51F632F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:41.387{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6619406FD27F6A31B53A4433A4333A5,SHA256=F1041F5072E2B3416C8CA0E2D8DDCC7487C2A4BEFE338A8FCAC877F8D5F5DF4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:42.622{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67A817212E8E2980EECCD1D9C1BCB705,SHA256=A41DEA2789F7B12047F66BFBDD7484A5086FFC182D71990369E1AE0EF4AFCD9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:42.595{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=278A8E1BF35B3729ED565DD8522A7353,SHA256=F8EB2919BDE9842666336F2958C817D6A49554E8138A36F4203023227845DC6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:43.610{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6FCB6F1CE2ED7E45B46E26593A3C115,SHA256=41CCED6754683B925A9EE154FDB6453B8BBA900388BA11D35207B0C4E662F375,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:42.045{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57384-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001040492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:40.810{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52945-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001040491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:43.655{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=740B5A926DC61F88010064AC13FA5FA6,SHA256=FF89219FF76C18A30CB2EF875FEF482854B3C494C174F18DFA6C068D6C6E642C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:43.624{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92EFFB13AF81F4A7779CD3006F157B7C,SHA256=27EAEA48C6856C4FDADC0292F6BBA92B96818B317769B126679B002F4FAC1C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:44.626{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E70D8C29D35DA40661B3C172C130724C,SHA256=BF39555F35E998B2B7674005F00D793EF00682DF17B56B6FA6B4E88FDF645C99,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:42.771{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56436-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:44.639{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F06AD3CB920B0952D3DFD93F0203CF3,SHA256=9A32F41B2C5163DE37626BB4CA27C0955A4E09B96B628480B42C4965E748E1A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:41.776{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58915-false10.0.1.12-8000- 354300x80000000000000001040514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:43.551{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-53825- 354300x80000000000000001040513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:43.550{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-52684- 10341000x80000000000000001040512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:45.786{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-81AD-6151-0A79-00000000FC01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:45.786{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:45.786{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:45.786{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:45.786{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-81AD-6151-0A79-00000000FC01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:45.786{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:45.786{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-81AD-6151-0A79-00000000FC01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:45.772{5EBD8912-81AD-6151-0A79-00000000FC01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001040504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:45.639{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD415FA623E549365669626A18012731,SHA256=21719A2EF002457591F318473D5AD4318E7AF0F1E722D1E602D0D4C57BECCD88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:45.641{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED2826CFE618E54FEAD9D3AEADD7A9FC,SHA256=D0D3931ACB97225D2CBB660744E2A42A9E3CBA5FF8224136A682146530DB9780,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:45.124{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-81AD-6151-0979-00000000FC01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:45.124{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:45.124{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:45.124{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:45.124{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:45.124{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-81AD-6151-0979-00000000FC01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:45.124{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-81AD-6151-0979-00000000FC01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:45.103{5EBD8912-81AD-6151-0979-00000000FC01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000970277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:46.657{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17F3600A1BB4BAD44240343FD8F4C131,SHA256=8F86BBA0D16B1CEC353229D3039CDA58B83C87C2304B0843E07987913A6E8BE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:46.670{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00DB507826209841F9D285BDA2BAC75F,SHA256=732812C78B8E088CA624270BEC2AA04486DDE230F41555DFC84B293671BED632,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:46.601{5EBD8912-81AE-6151-0B79-00000000FC01}60285448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:46.401{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-81AE-6151-0B79-00000000FC01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:46.401{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:46.401{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:46.401{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:46.401{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:46.401{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-81AE-6151-0B79-00000000FC01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:46.401{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-81AE-6151-0B79-00000000FC01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:46.387{5EBD8912-81AE-6151-0B79-00000000FC01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001040515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:46.139{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0559CB15E43A2AFCCEB79855A377A3B9,SHA256=5B3EF74A6A46195B88C33C8FFF009216734EB0817B7CD185B5340C80F71001C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:42.711{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57029-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:46.470{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47F903FEB2E6FDE59CD4CF8B562719B3,SHA256=2B96F1325F48CB90D58D00A4B777F3BBF2DDD9F85438FF277A3F719C08BB9BD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:46.470{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A917913A78F0072542FA7718B54A716C,SHA256=39EEA733C176E75F3C2D9C15FE4C795A4708B6A093CF53F9442528EC3CBCB54A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:44.110{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58916-false10.0.1.14-49672- 23542300x8000000000000000970278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:47.673{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=187FA6F0FADD158DDE697B44946E80E4,SHA256=DE37A8119428A1AAB14EE071005CFCCA7D4CA5D19F8C906E336084D574ED34AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:45.893{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52946-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001040529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:45.205{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57968-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001040528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:45.165{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-58916-false10.0.1.14win-dc-429.attackrange.local49672- 23542300x80000000000000001040527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:47.701{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=867865BA79FF35943B28CD9784BD116A,SHA256=F3B6F73537D426718D5DBD462F09666F4D0531BD58C3B34AD1BE8A4F2D1D61A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:47.401{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F679E54B0C12A121BB1E63FF9D7A3BF,SHA256=24F1D2F7E2B40CDAC1EDFBFACE776BC9779C9DF41FD66112BEABA6FBAEE9233C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:48.720{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3964564212A027DC00A9DDD80B2B7D36,SHA256=35C83132CD1DEB30DE7EEC2DB2352535EAD27AAC7985BB14778F432E4F14F96F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:48.688{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F2A4D5FC43A59DE09D71169A23C315,SHA256=B55BA2D7007E9EF368A177044632B7775E9EBB394F8376F5FB4F38B8A61BAD30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:49.737{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D72D91083D9EA9C9AD306E8F17CB63D,SHA256=613E6ACEC9C85BAD8120A4CCAF5588BD3B82B48EC7781353B85C4990EFCB7B84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:49.704{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=770AB470C6528D827D068E8048C43F0B,SHA256=5B0C8E6EAF023E064DD781DE82BD1E9BF00138A076D3EEC0EED43B1DD5BDA367,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:49.110{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47F903FEB2E6FDE59CD4CF8B562719B3,SHA256=2B96F1325F48CB90D58D00A4B777F3BBF2DDD9F85438FF277A3F719C08BB9BD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:50.704{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8FF1F88C652E4EC52C86681F0B50CB8,SHA256=82667D9E3C0F22823EBDBD706EA26B417FAD224CB9A32B36602DA1CA5B9BDFA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:50.768{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0272C7983AB5F43CA71F6BE7135C55F5,SHA256=05FD9F898CF7852241EA524AB1872C220E53324686278F48ED558390E3274690,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:46.387{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61350-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:51.954{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6135B34ABFEA5647C349CDA9497C9C,SHA256=A867D6EBB03794FED889F3511D564F598C62A2DE75DE2F3E3162F8ABF415C5F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:51.836{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F5038F60EFCF03FAE0187D640680C4,SHA256=488A28EC488D6D133E1A0CA210C8FD26C4FB8D54DB9F7D79371CFCFA311DA184,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:48.400{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62905-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000970286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:47.759{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58917-false10.0.1.12-8000- 23542300x8000000000000000970285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:51.126{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=771971E11441D00D76B13D3094A2DDBC,SHA256=3DAF9B0F398E46EAB17EA3E6B599F50DB170291F80EC405B7B2965D05EF546BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:52.867{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69319F617688BE0ECAB248D7EFF4BEDE,SHA256=916D41749FE9D082C4BA41C06043B0D96A813B99F497A63A23C4C97F4AB6B3A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:53.935{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDABA223117EE3EF287B698A5B631A10,SHA256=A5BAD6716D72A79243AFA51CD239D86FD1C24D15974395B9DDD411FCB609D0BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:52.466{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62408-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001040536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:51.842{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52947-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000970290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:53.938{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1C83050A5670399975079E87BEE982B,SHA256=C8F5E937A3AF266DCE0C3885D6947C9ED6462CD28A7AE566204CDB89F4075727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:53.063{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C37431783C52A9962C446E1322940C7,SHA256=97BFE5F481CDB3CBF5CC2CF6AA17B8ECEB6DFDF5CC9C2550ED528B90D78DEA92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:54.965{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9BA4856015B7A375274C51130841C50,SHA256=AF9207BD2096C48A3B331443F240999823B705063EACF3CF9669850305C3BFCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:51.008{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62181-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:54.079{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A193AFB2F486576868B1C6E278426AB,SHA256=21B76219F618550787ADF3B15B2C88A477C30238E75A9D77A4518D885D833855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:54.912{5EBD8912-81B6-6151-0C79-00000000FC01}62202796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:54.619{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-81B6-6151-0C79-00000000FC01}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:54.619{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:54.619{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:54.619{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:54.619{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:54.619{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-81B6-6151-0C79-00000000FC01}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:54.619{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-81B6-6151-0C79-00000000FC01}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:54.614{5EBD8912-81B6-6151-0C79-00000000FC01}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001040540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:54.417{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85A6DA918C2FA4FB496AD4F019ACEFD0,SHA256=A1105294FB287D9D714163BA7DCC1BDE4EBB079E804A359F6E074A9D043982B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:54.416{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF07F765132F09647E864E38AE7EA1BD,SHA256=B4E0AD36F986D2882120854F842ED3D16300D1E80520598DA55853E27AB64816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:55.095{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=080F2A82994951CCAD327A2B34B38806,SHA256=329688F26CAF23B1108593C3AD970785CA6E3F3955B8CDFE0472EA3CFB7654DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:55.981{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-81B7-6151-0E79-00000000FC01}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:55.981{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-81B7-6151-0E79-00000000FC01}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:55.981{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:55.981{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:55.981{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-81B7-6151-0E79-00000000FC01}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:55.981{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:55.981{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:55.966{5EBD8912-81B7-6151-0E79-00000000FC01}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001040560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:55.619{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85A6DA918C2FA4FB496AD4F019ACEFD0,SHA256=A1105294FB287D9D714163BA7DCC1BDE4EBB079E804A359F6E074A9D043982B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:55.466{5EBD8912-81B7-6151-0D79-00000000FC01}47203680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:55.297{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-81B7-6151-0D79-00000000FC01}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:55.297{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:55.297{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:55.297{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:55.297{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-81B7-6151-0D79-00000000FC01}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:55.297{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:55.297{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-81B7-6151-0D79-00000000FC01}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:55.282{5EBD8912-81B7-6151-0D79-00000000FC01}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000970295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:53.774{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58918-false10.0.1.12-8000- 23542300x8000000000000000970294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:56.110{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DDE96D2072396E22D580CB76093C606,SHA256=12913F5645665957401E63F827B14B1D20300DC2D5C9921D5752BAECE50289AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:56.980{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08F0157887EA2BD808F76843B67DE7D0,SHA256=CD3ECD4173D1A5CC5DC83D38A5DB6DD40EB6ADC191B52E69EA9ED41374295355,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:56.833{5EBD8912-81B8-6151-0F79-00000000FC01}43405236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:56.680{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-81B8-6151-0F79-00000000FC01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:56.680{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:56.680{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:56.680{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:56.680{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:56.680{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-81B8-6151-0F79-00000000FC01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:56.680{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-81B8-6151-0F79-00000000FC01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:56.665{5EBD8912-81B8-6151-0F79-00000000FC01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001040569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:55.997{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ADFBF2532A2887037A0698E59023B36,SHA256=940E52523D7AFADD065D2C3FCA0FEDE883AE4ED7926E52F03897476F72300FDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:54.883{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-52268-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:57.720{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD2B35863D2F7A9DA9E5E9BE14DD825A,SHA256=04BAA808BC2EF898C75B595918F7B302E4565372E9E8C129FB90E4A9B9056CD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:57.344{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13851A54A0FC7806E13BB2BA4C55D50A,SHA256=B7B34EE7EF10CFD5C6983803021287E6E8CB8DFAB0C66132E42180399DEF3AAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:55.320{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-54440-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:57.016{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9387496676568EFF2004DAEDA2245203,SHA256=475405136D6B7B9B09C21393E0AFD83D6D015EA2AD44D8B0933D3FDB07A8B975,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:55.227{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64619-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:58.391{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC77484DF2BC33557B0D2A5D6339ED4,SHA256=6B1FE0E22329299893CB5E87C12EB6CC40FEBFB890DCC25EC2BE24EAE13DBF11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:58.094{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4650578F87FA4F58FC59CE2F2AF3219,SHA256=838CEBDDE52849A3A3C271C34D1042C8ACFD4B4981B402C5ED7A52EC157F35EF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000970326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:32:59.813{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000970325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:32:59.813{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000970324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:32:59.813{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000970323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:32:59.813{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\FlagsDWORD (0x00000002) 13241300x8000000000000000970322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:32:59.813{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\TtlDWORD (0x000004b0) 13241300x8000000000000000970321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:32:59.813{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\SentPriUpdateToIpBinary Data 13241300x8000000000000000970320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:32:59.813{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\SentUpdateToIpBinary Data 13241300x8000000000000000970319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:32:59.813{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\DnsServersBinary Data 13241300x8000000000000000970318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:32:59.813{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\HostAddrsBinary Data 13241300x8000000000000000970317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:32:59.813{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\PrimaryDomainNameattackrange.local 13241300x8000000000000000970316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:32:59.813{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\AdapterDomainName(Empty) 13241300x8000000000000000970315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:32:59.813{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\Hostnamewin-host-542 13241300x8000000000000000970314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:32:59.798{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000970313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:32:59.798{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000970312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:32:59.798{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000970311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:32:59.798{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000970310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:32:59.798{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\LeaseTerminatesTimeDWORD (0x61518fcb) 13241300x8000000000000000970309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:32:59.798{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\T2DWORD (0x61518e09) 13241300x8000000000000000970308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:32:59.798{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\T1DWORD (0x615188c3) 13241300x8000000000000000970307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:32:59.798{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\LeaseObtainedTimeDWORD (0x615181bb) 13241300x8000000000000000970306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:32:59.798{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\LeaseDWORD (0x00000e10) 13241300x8000000000000000970305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:32:59.798{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpServer10.0.1.1 13241300x8000000000000000970304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:32:59.798{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000970303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:32:59.798{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpIPAddress10.0.1.15 13241300x8000000000000000970302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:32:59.798{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpInterfaceOptionsBinary Data 23542300x8000000000000000970301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:59.563{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B8E218B89A75A4458305E1933DB9EB3,SHA256=70241D7DEE48B7585AFE472885C8E8A73C0B47031B34897AAC2880CD5B3876C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:57.755{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52948-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001040583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:59.112{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E118C7965393A97B78BA125B4399B953,SHA256=3571E42B44E0A68C5BD1F50C189383262CD7EE69C3F919308BCD26E651EFBB52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:00.610{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A67D7C44A7E6A904B7CF630ACF7EB7,SHA256=43968295B97AEC06422A7723D1719470A40A4F3092E1D9D5808422F1174DDEE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:58.642{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-55220- 23542300x80000000000000001040585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:00.146{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EE76E4F7849941EFF7FB0F824A3353C,SHA256=9B9B1A327D1589DB856CC7E20C20E9C74CC87A31FE07AB1E371047F368EC7A9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:58.459{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c8a0:5491:e98:ffff-49209-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000970330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:58.459{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:e060:eede:318:987awin-host-542.attackrange.local49209-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000970329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:58.446{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-542.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x8000000000000000970328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:01.787{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E1C83B9457FCED7897392357FE9040,SHA256=A39E1C664B7F38F0DCEA0AC3603FF4FB5E716CBB34AD787569908069567863F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:59.516{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-53932- 354300x80000000000000001040588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:32:59.514{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-59487- 23542300x80000000000000001040587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:01.176{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=929F167281F86A3ECE0206D58F4BF746,SHA256=47A938C8EA1CB1BD6E184ADC74B3E9E8C913CE333BB22FE2D891AE48EE8ACD9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:32:59.776{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58919-false10.0.1.12-8000- 23542300x8000000000000000970332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:02.849{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=517A75CEC2AB41B32CF300EE64CB775B,SHA256=A464F65E3D721DD57349B123DEA989D7E14F18FFC9104CD032B760E54D84A09F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:00.648{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51014-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:02.329{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86EFB4455E4E7F03D015076395E8D321,SHA256=E4A5E7F0BC5C88C4E4D3D338BDA208BFCF3B601557B7E0400EC4337E7B172D1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:02.329{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97F57944365BBCC11E67EB8952CA1612,SHA256=137BB18BE5082170E8455D2FB9C74BF209133F3D29D85EE07A691CDD33F4A098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:02.192{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50DF6E1BDB9F1F185B2B0339A5C1E617,SHA256=707D97B0862F31D98EA530D5012E72438006C03D304A1E44161608DD4EFF2ECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:03.849{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84E6B60F86C3B012276A283433068CD5,SHA256=A4E4AD72B84E07B4F9C01184CF0A5E523CC24094108FFACB6A64396C78D50553,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:03.211{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D1BEA8016069521382BF38EABF4D912,SHA256=207C73989431192BD61204232A3495BDB11FEB4A8CD5D65D52FB8F8374828690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:03.568{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C617C9BFAC34D62DC5CAF7F02DD3173,SHA256=68E6A200E386910192ED6A685D8E46C393C5763B8DDB0BFD05E61A847AA71509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:03.568{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7497CF2838C6323BD5756D505D88E53D,SHA256=4E4C2FDAF23FD4458AEAABF045F58069CEAD219E5E3508108B970FD702BFBEC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:04.865{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A270B6E7553465D5B364CBA4B620864,SHA256=EEFAE2DCC05357FD75DB89D25DDD2A6F9D37373E3E2CDF7EE10437883287372C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:04.859{5EBD8912-7F30-614D-1600-00000000FC01}12682668C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:04.859{5EBD8912-7F30-614D-1600-00000000FC01}12682668C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001040595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:04.229{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC14F590FAB77A425C04D7F7061E7FF,SHA256=EDAB09BBE9A37B82C343D78B2118D1837E3FF0660074887273FF7743346B7AEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:00.514{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51604-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:05.880{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD57D1BE762D5C71CAF02A0F26E5D8EA,SHA256=01D327F03E58B89B8F520B8D1326C469818BDA0AC9B6646C6E853AF9B106B5D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:05.474{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86EFB4455E4E7F03D015076395E8D321,SHA256=E4A5E7F0BC5C88C4E4D3D338BDA208BFCF3B601557B7E0400EC4337E7B172D1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:05.243{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD79E6231A082D591B46565DA2EB2D62,SHA256=ADC66E791FD99775CBDD8AF060C6060605A436823B7F88FFB231174254BB8757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:05.586{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4270MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:06.894{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7BD6824D818530893698D70286E570D,SHA256=9119B116A375EC24AB9570E9AC0079E722F8ED7AAE674E9D05EBA64C2742B2BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:05.066{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65162- 354300x80000000000000001040603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:03.835{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59076-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001040602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:03.735{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52949-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001040601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:06.258{5EBD8912-7F2D-614D-0B00-00000000FC01}6244740C:\Windows\system32\lsass.exe{5EBD8912-7F11-614D-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001040600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:06.258{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F48634E6640C86BB1EDDD22AD1D6FE32,SHA256=658079D7935B005FF0A447A80CD7CA116C18139128C92D417BD28BC5524D5741,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:06.600{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4271MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:07.896{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F6DEC6349C04743E3DEC7E729F2D8631,SHA256=4375E6A953F32ED8E198529B004D72621383F0E2DED3A81DF655D193A3B41F3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:07.896{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB16B420A8C93E7C2DA5967B07E009EF,SHA256=4C562B231E06FC7A6A5F4B2D17FF25F5F93C5EC4C6BD0769C6F585164AF0C013,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:07.896{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2B6E843391C39A46BB2A97F8B185C3B0,SHA256=7EB05656D353CD919E9F746067EF98F748BA37EE1E42C13A68B489F2FB01D80C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:05.950{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52950-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001040607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:05.950{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52950-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 23542300x80000000000000001040606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:07.274{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D04786041735BAC7DA761D41EA551A,SHA256=0BB7A0ABE5CB419F4F762E21433D3AD6BDD7D380BB46FC0F8C92A963D82CC10D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:07.274{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9377A2324483F2FD8F9A69100C78B486,SHA256=AE326E86AA2169691F8C9B7FCF273F97F5BE41A5592260CFB201593DC31DC249,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000970343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:33:07.318{69CF5F33-7F28-614D-1100-00000000FD01}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b37a-0x4c0036f1) 23542300x80000000000000001040621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:08.289{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC2348A79CCEF8480363541810278AAD,SHA256=D85C33FE70EEFA8B99CD2047A781AD35A8DD411CF9BC018F43AB1AA390F74D31,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001040620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:33:08.027{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x80000000000000001040619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:33:08.027{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\IsServerNapAwareDWORD (0x00000000) 13241300x80000000000000001040618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:33:08.027{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\AddressTypeDWORD (0x00000000) 13241300x80000000000000001040617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:33:08.027{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\LeaseTerminatesTimeDWORD (0x61518fd4) 13241300x80000000000000001040616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:33:08.027{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\T2DWORD (0x61518e12) 13241300x80000000000000001040615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:33:08.027{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\T1DWORD (0x615188cc) 13241300x80000000000000001040614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:33:08.027{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\LeaseObtainedTimeDWORD (0x615181c4) 13241300x80000000000000001040613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:33:08.027{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\LeaseDWORD (0x00000e10) 13241300x80000000000000001040612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:33:08.027{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpServer10.0.1.1 13241300x80000000000000001040611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:33:08.027{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpSubnetMask255.255.255.0 13241300x80000000000000001040610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:33:08.027{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpIPAddress10.0.1.14 13241300x80000000000000001040609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:33:08.027{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpInterfaceOptionsBinary Data 354300x80000000000000001040627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:07.725{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:c8d0:b50a:84e0:ffff-51587-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x80000000000000001040626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:07.725{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51587-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x80000000000000001040625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:07.718{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-429.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 354300x80000000000000001040624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:07.429{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55452-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:09.307{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C40088A4E5155E7DCB2066B5C3BFBBC,SHA256=14D6F407653792FE495297EF2A0BDDFC01A346E6A6AC6287254E1C412E722A29,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:05.950{69CF5F33-7F28-614D-1100-00000000FD01}960C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-542.attackrange.local123ntpfalse169.254.169.123-123ntp 354300x8000000000000000970348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:05.810{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58920-false10.0.1.12-8000- 23542300x8000000000000000970347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:09.115{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F236373B7D9265B451157490F7048F89,SHA256=41382C031D997FCAEFC5994AF164627249D7BB017897CF6D5319FD675858453E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:09.173{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89B7B528657022B80973CC19EE4CFC0B,SHA256=80D344F36D9ADB917EDA00E4076DDC87E07B78B1200EB432A649AD813569064E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:10.161{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E5E69582BF1BD7F33E7B6997F095839,SHA256=BCA437861DED9FA6B3AF40FF5BF8E1ADFC21A7EE06CE1B019100B9B460A74B56,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:08.917{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52951-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001040642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:10.324{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=607CFA3BEBACC8716F2B423679BB03B5,SHA256=A2D659B6758C17D08B4760205EAFF4319BB17A74E52CD982475DBD040BD08B71,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001040641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:33:10.073{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001040640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:33:10.073{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001040639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:33:10.073{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001040638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:33:10.073{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\FlagsDWORD (0x00000002) 13241300x80000000000000001040637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:33:10.073{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\TtlDWORD (0x000004b0) 13241300x80000000000000001040636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:33:10.073{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\SentPriUpdateToIpBinary Data 13241300x80000000000000001040635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:33:10.073{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\SentUpdateToIpBinary Data 13241300x80000000000000001040634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:33:10.073{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\DnsServersBinary Data 13241300x80000000000000001040633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:33:10.073{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\HostAddrsBinary Data 13241300x80000000000000001040632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:33:10.073{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\PrimaryDomainNameattackrange.local 13241300x80000000000000001040631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:33:10.073{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\AdapterDomainName(Empty) 13241300x80000000000000001040630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:33:10.073{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\Hostnamewin-dc-429 10341000x80000000000000001040629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:10.056{5EBD8912-7F2D-614D-0B00-00000000FC01}6244740C:\Windows\system32\lsass.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000001040628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:33:10.056{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\RegisteredSinceBootDWORD (0x00000001) 23542300x80000000000000001040649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:11.355{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6B146344C62C5924B9BFB5EA390AAC1,SHA256=A930480DC1D1E3550FC9BE5371D487FA4A256BA0AE7968E3BADC2119B99C2893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:11.662{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA77F7BC6DAD32979A43566EA2DE5122,SHA256=289075104D5406BC3B12DB6E1F052F506232544DB2057E7F7B28E09731422964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:11.662{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C617C9BFAC34D62DC5CAF7F02DD3173,SHA256=68E6A200E386910192ED6A685D8E46C393C5763B8DDB0BFD05E61A847AA71509,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:08.517{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56666-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:11.177{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDCBF34748D97E2310D6071EFC6C5A1F,SHA256=679732294F62E23B9F7761C5E9BB4F6E863FCF9253FFADAF6F8214BA12EC8D90,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:09.755{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local65162-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001040647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:09.755{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-429.attackrange.local65162-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001040646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:09.754{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local64460- 354300x80000000000000001040645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:09.753{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-429.attackrange.local64460-false10.0.1.14win-dc-429.attackrange.local53domain 23542300x80000000000000001040644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:11.139{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62B661A9350B1A257EAD8E08CAE79358,SHA256=57A9AD01D8BEBF6C0273B4BE1DDF0686344F781295A223A312E9D685F38B6708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:12.369{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1EE5DA6BBC80E6A6E53C5AEAB02DE4,SHA256=F1CB0C0E79474155791DFB472C3CD31F41A5B2D0F56E963AE912C4D2DAA157F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:12.896{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA77F7BC6DAD32979A43566EA2DE5122,SHA256=289075104D5406BC3B12DB6E1F052F506232544DB2057E7F7B28E09731422964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:12.833{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:12.193{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E290D7F3351713AE16D75BD85C8AE38,SHA256=542C0BB74A452FC362FB62D15977063DF01E2BD2CE5095B4AEDFFAD0CD52EF67,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:09.758{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65163-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001040651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:09.758{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65163-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001040650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:09.757{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local53290- 23542300x80000000000000001040660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:13.369{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=503F03DA818BAAF4FD189AE50A2638BB,SHA256=D0A71FD79EA2F602D09263809CC134E214B5D7EEEB8438B2DEDCAAB01793A254,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:10.210{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64373-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:13.412{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B51E3C23DED5C6CD9A6566C7E331ADE3,SHA256=C9603601033C3097BB2ED8310434783F3957794B8F51B680C5E7E349A764B809,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:09.768{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local49260-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001040658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:09.768{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local49260- 354300x80000000000000001040657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:09.767{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:c8d0:b50a:84e0:ffff-49260-truea00:10e:0:0:0:0:0:0win-dc-429.attackrange.local53domain 354300x80000000000000001040656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:09.767{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49364- 354300x80000000000000001040655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:09.766{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65415- 354300x80000000000000001040654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:09.766{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65415-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domain 23542300x8000000000000000970359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:13.396{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D208EF5E436D9E3884427164CF3A5205,SHA256=B843BC22547B4CEF8296E9EF5585C7693064AC4038DF05769D4EB38E1180AD3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:13.396{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F6DEC6349C04743E3DEC7E729F2D8631,SHA256=4375E6A953F32ED8E198529B004D72621383F0E2DED3A81DF655D193A3B41F3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:11.795{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58922-false10.0.1.12-8000- 354300x8000000000000000970363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:11.467{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58921-false10.0.1.12-8089- 23542300x8000000000000000970362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:14.646{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7994D9713A3D0AA9C3BBE5D12994E02,SHA256=F91ACAD95E872152FFC0D85D06987D7EF0CCA771FD50761DE96238F2736EE05A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:14.384{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B25EA777A7A025DC04E184EF38B1E77,SHA256=174FA7F09262A5F9B5F5968B6D3F03D28FA639A427E781A693A17C37FC168DBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:15.880{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=633372F9B9FDF4D75807CFA2FBE61596,SHA256=D44B0F521F4E32FCE80AFBDD4C9268F161865C3426A96A570D8F7D6336060DDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:15.401{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F34CAC537430C97D9680599FCCBF2C,SHA256=2D6B9259FB37A96F4DF7AAA272ADBC385EBD74B2A8FB6F5D5D49EF6D71DA8613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:16.974{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF72EB5AA6E14B3590347CFDCD4C5AAA,SHA256=EF6CDD9CC56F9E3B4F07E92111BAD7FCD680CD568A0356EAB1585C488E533C2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:16.968{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA0C04BB49EBD10B1CC718C1A83744F1,SHA256=5649375C92C3D96980930BEDA35A2AD46512A766BF0B5BE4245ACF5FF52302E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:16.968{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05F7A54039CA388982FD577DFF247B81,SHA256=0B71BE79EF6CFA8FBB7E24FB5AC425A17E5851C3C4FE9A76C75E8BEC7C992B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:16.421{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE34541DE390C34973730DE8387B0488,SHA256=F46FE83114D5EFF613AA1D77D5DED68B927380DFBC4D7C6CEF2ECCF77D58E071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:17.468{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87404C1856D6391B5018339A1BB65C2F,SHA256=B6E5E4B7D21FC810DF6745D451D41458E11B0C3470BE93E550B9F1AD7EF76FDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:17.912{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A5D293737C55BD145AEFEE692AE5294,SHA256=FE3E3F7FF000D103C3C1EAC52C847683C8AC872BF4613D920095F0A61FAD007E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:17.912{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D485FC9A74D2625940DD7D3FDF9BB58,SHA256=915BC9C8B31D72224EB26039429C057C159961E6DC9049C25A4A10B1BC8CAAAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:15.134{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60897-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001040668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:15.659{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65165-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001040667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:15.659{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65165-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001040666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:13.929{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65164-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001040671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:18.482{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A1A0E7F7FBD183C8EB90E95500E6ED,SHA256=C2DA2C5B99179596684CC551C76DDA6363902A36AF62376421002D6F88BA4995,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:18.005{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=921E9B318DE80DD278D0EFF4B8D9F22A,SHA256=C7E0ADC5DE5401587D9EEF75C389E3D8C3C1A85FC16D6D0C45145F6824FDCF50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:18.001{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA0C04BB49EBD10B1CC718C1A83744F1,SHA256=5649375C92C3D96980930BEDA35A2AD46512A766BF0B5BE4245ACF5FF52302E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:19.499{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=815E87B0350AE5560B299A923FF3F006,SHA256=1AD8932E5FCBB8B2940DECF72CA003599B8A56B6EF15F969C5587C9C3E9A5145,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:16.873{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58923-false10.0.1.12-8000- 23542300x8000000000000000970371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:19.021{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5EE83FA3D6BD63D7C2BE685DA5E0E3,SHA256=FD1081CD5982870662C32704027956B5AD2DDB9E031E6C94236561688DB4B52F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:20.736{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4E058943CDD9AD94FF01038D91ABA3E,SHA256=76DB2725F876B72072123A0499ED961E75F7F156593A8A32C01E9AAEE557A4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:20.037{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB7C00DD5F80610E707C3B546C80E275,SHA256=1C6F58E2EFEE02F5EA0B6D7AE5118691762A5D3BFC09D7712F48C6375431C4D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:21.763{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AA7479BE456E16CD4122E5A3EC6303B,SHA256=EC5A680D999F804F920A4DD81C8700DBE56598C830E60124B9EE755A1FDDDF27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:21.052{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A94016FC83848324A0F06A9010343EFB,SHA256=BD801E5E050EDA7AD0D47466CDA80AD04CE45C3EAFB164C92FFAB6EEC2E33602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:21.264{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83873712B61D53583B650E8CFBDE0504,SHA256=A227034EFD403C37848564BFB9EDE43A09F6CD03C474329FB266342A3E04AB01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:22.800{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBFEBEA405BD51A63680990D098E2492,SHA256=8A4F54F01C4659CDFE813A760746584F27F0D2305EB9F5A357C4DAE68452159F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:22.053{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B21B54654347D875C1DE3223EB989AF4,SHA256=A4078A26CFFB36E12A819A9205CA14067E965C584F384D29926833D4A0038BE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:19.809{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65166-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001040676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:19.656{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-56090-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:23.815{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69CD6839B7333C6BABBDD83B78E933DF,SHA256=4176D754E3B2D716E34405D63C65B7B083A404237B7806A042DB7F391542E959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:23.069{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A48888CCA74FCB5C541F1D4A4E80CB61,SHA256=76F7F8B5C9E4F9BEE34DC6A3E598E38CCDFC6CFD61127BBCD1C9EE427F5B5829,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:21.634{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57716-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:23.278{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAF634E7A932BD8E2C9B6DF5CD0E29E6,SHA256=15F6BD4D0FB5EE004709B54900B1EF20311FFCE6CD6B44AE719DFAA8A7295DD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:24.877{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=063F4D00C146C8CF99E5FEF720EA3B32,SHA256=38E7AB1328C458DAF880F0C21309E0998111C924FF7A87B47088FEB69E83A3D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:24.069{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDAFBF228A32142DB6C50AB6DD9ACC08,SHA256=001313AE0337E4A22CEB209468AC26447E672DD745C5CE1A3E3D3D503F270092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:25.976{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A36CEF570444597B0158FF19B60E3B38,SHA256=0C4952C213F3C4A6F3DBAA8622736ED64FE1970E1FDC579D78877DD9C7DBF732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:25.070{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6E22155898D5D29BFB2C1FBC1375DA6,SHA256=44CC1DB474A6A1D1E97585DDB89F88D24B518D8B074B8453D6E9F18D552FF75E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001040683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:33:25.014{5EBD8912-7F30-614D-1100-00000000FC01}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b37a-0x568c7cfb) 23542300x80000000000000001040686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:26.977{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96FA2003AC6C986F0E8EFA9F58B40503,SHA256=D724D67B6641C9CD7786EA064519A456222FB3F522CEC989166321E8F822ECCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:26.913{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-81D6-6151-B578-00000000FD01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:26.913{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:26.913{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:26.913{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:26.913{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:26.913{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:26.913{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:26.913{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:26.913{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:26.913{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:26.913{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-81D6-6151-B578-00000000FD01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000970396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:26.913{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-81D6-6151-B578-00000000FD01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000970395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:26.882{69CF5F33-81D6-6151-B578-00000000FD01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000970394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:26.475{69CF5F33-81D6-6151-B478-00000000FD01}1720700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:26.210{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-81D6-6151-B478-00000000FD01}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:26.210{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:26.210{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:26.210{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:26.210{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:26.210{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:26.210{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:26.210{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:26.194{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:26.194{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:26.194{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-81D6-6151-B478-00000000FD01}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000970382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:26.194{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-81D6-6151-B478-00000000FD01}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000970381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:26.179{69CF5F33-81D6-6151-B478-00000000FD01}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000970380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:22.717{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58924-false10.0.1.12-8000- 23542300x8000000000000000970379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:26.085{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DD824DFF464DA261E82A496F17B049F,SHA256=0A98D56C83F1796500C621391C381D113EA0E4FA2CB8B5C76157D7A94E33C344,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:24.684{5EBD8912-7F30-614D-1100-00000000FC01}404C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-429.attackrange.local123ntpfalse169.254.169.123-123ntp 23542300x80000000000000001040688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:27.998{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=798F7D82A5239D65F148B8DD974FFB1B,SHA256=7617BA338F7740952E7E93C8D0F3E615388073C41288734034162778AF05D966,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:27.522{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-81D7-6151-B678-00000000FD01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:27.522{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:27.522{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:27.522{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:27.522{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:27.522{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:27.522{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:27.522{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:27.522{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:27.522{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:27.522{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-81D7-6151-B678-00000000FD01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000970413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:27.522{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-81D7-6151-B678-00000000FD01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000970412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:27.510{69CF5F33-81D7-6151-B678-00000000FD01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000970411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:27.507{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5B54B0FBB15C0E34E0D1E1A42D96C94,SHA256=A5DC868D2442545C6A504F9B456AE1EA88159B6BA68C2842929103DFBB7D8767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:27.507{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87224ACD426FB0DCEE2D33D6914A777D,SHA256=7DE3364206290B18D6ECE85E1FC0DC99FF3387EFDCE1FF068A0C9FE4153250B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:27.507{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A5D293737C55BD145AEFEE692AE5294,SHA256=FE3E3F7FF000D103C3C1EAC52C847683C8AC872BF4613D920095F0A61FAD007E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:27.225{69CF5F33-81D6-6151-B578-00000000FD01}9162620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001040687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:24.952{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65167-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000970453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:28.757{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-81D8-6151-B878-00000000FD01}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:28.757{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:28.757{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:28.741{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:28.741{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:28.741{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:28.741{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:28.741{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:28.741{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:28.741{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:28.741{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-81D8-6151-B878-00000000FD01}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000970442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:28.741{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-81D8-6151-B878-00000000FD01}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000970441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:28.742{69CF5F33-81D8-6151-B878-00000000FD01}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000970440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:28.725{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5B54B0FBB15C0E34E0D1E1A42D96C94,SHA256=A5DC868D2442545C6A504F9B456AE1EA88159B6BA68C2842929103DFBB7D8767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:28.647{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE4096006D98CBC4BB73BF067BE13699,SHA256=37F7D7A46E2EA2A362C18D3DEBE99A95040A11361BDDCB5B579F6754FF057E39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:28.382{69CF5F33-81D8-6151-B778-00000000FD01}37122532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:28.210{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-81D8-6151-B778-00000000FD01}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:28.210{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:28.210{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:28.210{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:28.210{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:28.210{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:28.194{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:28.194{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:28.194{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:28.194{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-81D8-6151-B778-00000000FD01}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000970427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:28.194{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:28.194{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-81D8-6151-B778-00000000FD01}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000970425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:28.195{69CF5F33-81D8-6151-B778-00000000FD01}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000970470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:29.882{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93E72A326A02319FB0B452FD0F532467,SHA256=5585A069DE3115D1FB09E0B79B304627AFE36F7A73CB43C7F951A732F1A5E23F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:29.882{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4364259FC59BB06067FD808AA801DC3,SHA256=B94E2AC002AC8B552141A033B0D1DB5B722EBB551767C73C7254CFC5735D8CA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:29.045{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A06880292D14B6A5624C730E5C445BFB,SHA256=1E9A8CC81FF86161F981B813CD8814C5F91480D93138DA821C7302C62547B941,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:29.600{69CF5F33-81D9-6151-B978-00000000FD01}3512312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:29.428{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-81D9-6151-B978-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:29.428{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:29.428{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:29.428{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:29.428{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:29.428{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:29.428{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:29.413{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:29.413{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:29.413{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:29.413{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-81D9-6151-B978-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000970456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:29.413{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-81D9-6151-B978-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000970455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:29.414{69CF5F33-81D9-6151-B978-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000970454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:25.977{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61669-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001040693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:28.691{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52297-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:30.313{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBBF33B7EF81326F59E87D5744282D22,SHA256=42FE618F0A20FBA4364A7EDC07D4BFDD1B11A6413EE5C273F26F659F637AFD4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:30.313{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB6C3F24AB54B4B9FC72BF6CB95881CC,SHA256=31440FC1D8725238F492D60CFAA736CA52B043FC2C5EFBC68910B84D8E7D89C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:30.075{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F037C7515DDA9DEB63415229E9A99249,SHA256=D59FD7ACC6C909A0D3329058FB0B1AFDC4D05BA7A02B424F758C5469AE6A7B15,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:29.716{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52932-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:31.612{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBBF33B7EF81326F59E87D5744282D22,SHA256=42FE618F0A20FBA4364A7EDC07D4BFDD1B11A6413EE5C273F26F659F637AFD4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:31.112{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=676C254A0B9D2C32BE7991F17AE7D1A1,SHA256=FE321D24BC5667DE2845C0AEDE06212D5C30A28210DDA8EEDC288925C7CCB0E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:27.994{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63197-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000970472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:27.811{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58925-false10.0.1.12-8000- 23542300x8000000000000000970471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:31.116{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72750320679782A7F0C951BB0E91F6A0,SHA256=91EA5788E32BB71986B16F575486D41B39A7E8CA21F2CE18B98D5A684D460F3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:30.866{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65168-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001040697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:32.143{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D221F3148F847664FE3D7941158695,SHA256=B6D319B0C3501211864D159641A4F1CAE6949F0128E3426D41FAEA2AA948D14A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:32.241{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E0A15C1EE5A50F8D777E85DDB593A73C,SHA256=2524C4A6AD89A9ACAB4D02373D059B0A5153BC81557C4EAF1A069864FDF8D68A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:32.147{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E02521A6B0881FE247CED201BADA90C,SHA256=E07E104D8C32402E156058CEB9A666AB5FBA9692130705DB0E53D278DE32CAB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:33.161{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=174889BCB24D43CF39D8F670257D761C,SHA256=56AF51700386D4214F3E1E422DB141415B46569EE385264CDD923A80810A4E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:33.163{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=655E531689EE2E1E7EA6D727916C27D9,SHA256=87E5FE6350241BE59EAF9201BDFFCA0DF9A25323631AFB7053A8F28AE32270A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:34.172{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C4C563CCC956E1519B0861FB3DDE832,SHA256=2645ECCB52F67330879D08EFF978C8FAC785FCDD6682E7020436BC0962B50F1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:34.178{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415127C2B1D76B9D8EB259BFE93F3292,SHA256=163CF420BBABAD69BC85715334C659B0F19F9DDEE7AFF555D796DB06AF862FEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:34.043{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4270MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:35.194{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C2E483547F57F3997F28D92BA13596C,SHA256=FC881E679CD13C48A296670F74FB1D5F0748C66579464C809B87E169EEE8AA4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:35.712{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:35.173{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C39A96C2090773428BD10735A5E9500A,SHA256=C22F37216904F5E99366FD58B47949C8AAFD087790395C05E8B5809CC464E681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:35.043{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4271MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:33.749{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58926-false10.0.1.12-8000- 23542300x8000000000000000970479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:36.194{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=679732C8FC109ABD447CC619876D11CB,SHA256=B420B0B490A887CA3EC1423B61720012F93A9EA69BBF225CCF28AA53FEEA3F03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:36.174{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E04CD75EA232CD22A594298BE5999993,SHA256=15477D2DC939B948F12B18A9F63987645907A1299B116B87089004D99A4A9808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:37.194{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD39497FA64B7C4788502B7C454F703,SHA256=256A1CAED1F610EE0139A18E4AC055EE82758F29FEC18FF407A8FD0F89760576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:37.192{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F746709F2D7CD93DE249DF5E9C397224,SHA256=CF0822FCCE0D38E6ABA60AA081A0A50930B0BAAC9F136ED7BD105699B3BD0AAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:35.382{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65169-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001040709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:38.942{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A1D36E151A4423CC2DE098B177D8DD22,SHA256=86CCEDF1BE9F06CF35A1C79CD198087CC5E3A3417AFF1FA4E1E68369629836A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:38.210{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E688D868002BDD654F744253D8F1796,SHA256=08E18C4690FCCED01221AD1361E07842AC670AC05AE25721207D620401A14F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:38.960{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B80A6261A25773AF8E8D8F95DE3AE72,SHA256=392F6C0E325D3D6DC107CCBBB299AE765B14A483651D78A9B2E7FB8106D90787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:38.960{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D1C48488AC80BD1A23F1B56485E7C22,SHA256=4C7B19A7E2CE85B1927BCC78190524DFC535DF1A6F7E7C9E7242338249B363AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:38.444{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-81E2-6151-BA78-00000000FD01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:38.444{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:38.444{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:38.444{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:38.444{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:38.444{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:38.444{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:38.444{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:38.444{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:38.444{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:38.444{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-81E2-6151-BA78-00000000FD01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000970484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:38.444{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-81E2-6151-BA78-00000000FD01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000970483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:38.429{69CF5F33-81E2-6151-BA78-00000000FD01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000970482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:38.210{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8253D2C64A933D902849F48CE6DFD732,SHA256=3F9656E53C15DAF72AFA11BCADD2252DFFA7D264E430A20C9CE6EB8936A57218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:39.373{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B263346FE955D5F51AA0896F095793FA,SHA256=EE7C358283E1C7FF41071C5C20783EDD3891A0B38F6D92181D678F2EDDCBE79F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:39.373{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00C0AD68730E27EE70DC443CF2086575,SHA256=BD6EBF15EE193A06C6BE7FC766A9D933576DB8F74F826EBEA2B955C5D119E949,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:39.241{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F00A155B0FA015A0BA0D1EA58D9CC0DE,SHA256=1C664DBF1D8CD81E1F047DD0AF97EF39ED2EC3C6EFEECF6E8335B8E43FE758F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:36.595{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57880-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000970499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:36.410{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de62353-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:39.225{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AF0A4D26A3F5CA91C7557FA4D2E3C6B,SHA256=63DF79E01ABDD95F9837D09B5FF916C24F7DD3D66E2D560568854A864C09C550,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:37.670{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57885-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001040710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:36.749{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65170-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001040715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:40.242{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C76FF26E7E00F9954F7A7819E872AB,SHA256=E19543D314EF111DFAED6EA6DACF2A7134F14B8BCC602CA55309A7E6E9F4808B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:37.821{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-55889-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:40.413{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B80A6261A25773AF8E8D8F95DE3AE72,SHA256=392F6C0E325D3D6DC107CCBBB299AE765B14A483651D78A9B2E7FB8106D90787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:40.241{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=463CDBBF498590B3217BE1DF4F206176,SHA256=D811CA7CF63CF6E66C899CA1D83F0C14C5409C13F6FCDC063BF7901F0F4EACD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:38.889{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58927-false10.0.1.12-8000- 23542300x8000000000000000970504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:41.257{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBC78FCF4FE504AF6F2A3118C91F334D,SHA256=7F064D3D7DD8C624825EE874C5B5EC8E5F4E4E8982443EFDC707A276F80D88CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:41.258{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACCCBBB7DFF170C9F30F87D3E812862D,SHA256=04721EFC9BB1981C8A0331DC3F943BC2CAB23D671824327D207DD941B20B7FF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:42.274{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBE649876F26A53A1C3BC1A42585CB68,SHA256=4B477AC8D9475315815581F88BA0E38FCBB4D1C384178C88EBE1D34D4B5F3A9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:39.645{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59751-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:42.263{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C2C38607A79352C8C282D6485879D74,SHA256=8E33D335FDBA9B8F7CECBF00B508C397DF1805A966822C4DBBF01DBD387B8E92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:43.290{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61C237B74A137B321F89D9EE42F2044A,SHA256=F295FA28C604F2F2F97F9FBBA69D09C33C2D1B8F5BDBD7416858168617EEABEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:43.732{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=109810D235B4F499D00A12E652C05CB2,SHA256=435173CCE155189117E696A2BFE0AF174DBBDA746EF060B569F48F81F5234E8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:43.278{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0CF6C6621F2DD16A1D2D58B3F160861,SHA256=094286FC9F482045FAA5CF10DCABBC83F01354C4DCA361B32310F75441BF9098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:44.909{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A7FAC1A29708DCDD550D3F8933CC07B,SHA256=EF27436B21469ED70654DE350C10A558152B2BC20D734BFFC3A8601F4F8CBC9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:44.909{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B263346FE955D5F51AA0896F095793FA,SHA256=EE7C358283E1C7FF41071C5C20783EDD3891A0B38F6D92181D678F2EDDCBE79F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:44.356{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D86887ABD01D3A5ECE8A7AB7A78D6CAA,SHA256=45D44E8D3CFDC6B238D00B94321CE15A76A4ACD1075475DA0132AE89350A81CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:44.279{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=267C0AB291A34F0583329DC9F721C211,SHA256=21CDAEB82DF35A78B9F8F01CEEE54646CA6B74C2636CADC7E2A792C6BEB1E288,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:41.903{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65171-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000970511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:45.294{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294FEEC5E25FC11B6E2A1ED572A0D411,SHA256=2AF7E816AF05985542D19682BE7E0DA02EA661F9E719DFA0B4458739ECDCE6EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:45.808{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-81E9-6151-1179-00000000FC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:45.808{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:45.808{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:45.808{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:45.808{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:45.808{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-81E9-6151-1179-00000000FC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:45.808{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-81E9-6151-1179-00000000FC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:45.787{5EBD8912-81E9-6151-1179-00000000FC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001040732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:45.456{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F1A84835D3978395C72C065C50F2754,SHA256=D93AEF30ECBC78E5B3F2BECCF08E6ACBD52735F14FA34161D61A34CEF7A16672,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:42.998{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61204-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001040730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:45.124{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-81E9-6151-1079-00000000FC01}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:45.124{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:45.124{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:45.124{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:45.124{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:45.124{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-81E9-6151-1079-00000000FC01}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:45.124{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-81E9-6151-1079-00000000FC01}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:45.109{5EBD8912-81E9-6151-1079-00000000FC01}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000970512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:46.310{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B8A0C9A73D1DADB8AEAB6EBDBAC3592,SHA256=923580229478C96AC7E08C2CB6AA4866F4EDB72F184054FA3F6A8ED84C30C127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:46.511{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F98E2330CD3BEF2214FFEB97BD96B5FF,SHA256=46B0591713C8C1DAD428E617DB7F20215848DDEC603C0FD510A56F72443303CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:46.496{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-81EA-6151-1279-00000000FC01}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:46.496{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:46.496{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:46.496{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:46.496{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:46.496{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-81EA-6151-1279-00000000FC01}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:46.496{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-81EA-6151-1279-00000000FC01}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:46.481{5EBD8912-81EA-6151-1279-00000000FC01}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001040743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:43.282{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59270-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001040742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:46.121{5EBD8912-81E9-6151-1179-00000000FC01}4168376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001040741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:46.116{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A7FAC1A29708DCDD550D3F8933CC07B,SHA256=EF27436B21469ED70654DE350C10A558152B2BC20D734BFFC3A8601F4F8CBC9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:47.579{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1416E0316EDDA1808E784A8F88AB23E,SHA256=33DD1F07CA591FD2EAED4E6EA1C124EB64CF2D4A9873165BA23E206ABEF55D55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:47.529{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F033696C46A1DD8290B9DAFFBF19CA31,SHA256=8C98C27791A909C499C1EE8A75C32F203A655E03B1EF3482CAAD9E22E09EEAD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:44.802{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58928-false10.0.1.12-8000- 23542300x8000000000000000970513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:47.325{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2D664FFDDE51A4BD54F1DDA97DF38B5,SHA256=577B9D31F9166BA8DFA193148AFBD3CD9041E83453EC4E423CAE8558BCFA8ECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:48.593{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E29EE7D0AC5D59921EFADF0A1D9829F,SHA256=307DEB5242E495D9A4B3BA2D217103BF56C36EF509B799B5383BC5148D0E605E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:45.252{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63168-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:48.341{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4D7ABFDCDE6D12DBCC4E8A2AF0D7BB0,SHA256=A87407CF98FB8038E4BEBD29E69B9E7306ED04816672BCB03EE21DB5149BDFFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:46.820{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65172-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001040756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:46.820{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65172-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001040755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:46.187{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63095-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000970515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:48.028{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6253F81F90DAC1BA3D2901D60D4B1485,SHA256=C847D4697E467EB28F00B413AC035747D3CB2963145E4B6CB5AA63930CFB2739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:49.645{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769911BC2AB6524B982F89436CB01D99,SHA256=3CF503D6BBD3C4118D78FB3B63A71647D54C8461F4BA13D4F6D8A2D14BE2E143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:49.341{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13B1DB82A6FDD73E02C1E0CBE7EEE9C4,SHA256=3650A7644E35E269B6244DB65AE9695C1F1A010750E1C905BA53B8B69B526C0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:47.870{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65173-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001040761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:50.676{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F81C1330DF284A56DB76946AB5795E8D,SHA256=D61111B467DCBF5A118080FF2112D221783AC623AF06323F075154A898D741C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:50.357{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CBA69BF92DEDD13A8AF2BC1C1682FB0,SHA256=DDD8006AC4D9A20063B80612B70B9A28E27C5D980889082D0F003855CC5B1C32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:51.691{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC4D7D532D1834EA718A3FAD3EDBD3EE,SHA256=8BF9A09616897278A65242EEBD3E96B6A86CB6E6949E6CD984701F4E436A1692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:51.372{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C86696C4E4781CD07631D64EB44D7BBD,SHA256=B6B803DB3923B57EA50B722F5F8603D3844094CCF03CB21BAFB9E368F219A431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:52.706{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2889CC5C7B2F703EAD6A74243741319C,SHA256=4F79BB8850524264BEF5ED1CB116439D8A37D721341E4E33194CB2C1F5633582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:52.372{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EDB303A74F710A3B5A1EE3F049A861A,SHA256=24CC4132C842B7A52A0FFD2654FAAD450A98EC6A70A5E93680848D540B44280D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:52.372{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7D0012A127FA35A5BB047C6546652F0,SHA256=EA0B9D5D52FA70732E2ADAA6696A51AF2965655C127FDA35CF72117A77446D01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:53.707{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F3B6E0AABA085071F956E236BF075D,SHA256=3B2FDBEB8F135FF0B4B3D9BFA0DA8D46068CD201FE86B308CE9360588A910109,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:53.857{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=185DDED78DB352D02823CDC46DCAB69B,SHA256=58B3FC03BA4A67F3CEF8DCFAEAD6321BB3C08FFD4A3A91EC6148384DEBF6AF6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:53.388{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E88C9E235916DCC6DB29A5BDD3582FF,SHA256=D36D304CC87A3FF0FB672B0571BB086F0D4EF589CEF99B5937D062DF0CD97364,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:51.699{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de58990-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001040764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:51.657{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com50245-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000970523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:49.666{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64504-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001040781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:54.827{5EBD8912-81F2-6151-1379-00000000FC01}24884780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001040780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:54.727{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F1424846EF7673D6D4F19939D07DF68,SHA256=790BCC702BAE64ACA18552E80BAA05E4B64ADBD10F4C417DC7970A7882FAF08D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:54.727{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD08A193F4708F025A283603217A45E4,SHA256=BC888331EE7F7C3F50212A19CBFB9BD9CFFE831CAB39F7E4BFB87247C31B8BBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:54.404{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9FF02DB89AE4A086FE54DEE6CE6FB8D,SHA256=8D014135ACB9D0EF09B9C109C415CBFD5BD72B11BD81E8F367ACC16CF39D6D03,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:52.529{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50766-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001040777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:52.485{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com17095-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001040776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:54.643{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-81F2-6151-1379-00000000FC01}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:54.643{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:54.643{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:54.643{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:54.643{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:54.643{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-81F2-6151-1379-00000000FC01}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:54.643{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-81F2-6151-1379-00000000FC01}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:54.623{5EBD8912-81F2-6151-1379-00000000FC01}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001040768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:54.107{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED2A96591FDE14EDAEEC329515DF1378,SHA256=8841C7E08413FC69067A37E8D7290192B70008CCF4EA1EF9A59F1537CF7DC250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:54.107{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A610811412C3A744875C561E7E1D91A0,SHA256=25F800156691499D53A233483B00F23A961A75B08578C823C11003AEAE233937,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:50.770{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58929-false10.0.1.12-8000- 10341000x80000000000000001040801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:55.959{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-81F3-6151-1579-00000000FC01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:55.959{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:55.959{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:55.959{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:55.959{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:55.959{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-81F3-6151-1579-00000000FC01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:55.959{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-81F3-6151-1579-00000000FC01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:55.945{5EBD8912-81F3-6151-1579-00000000FC01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001040793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:55.743{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F30C4D4723E4AB36B683F4D5CF2AC607,SHA256=505286B90A15FD611AEED45E0464C702641A935F556FB46854813F813AB8B267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:55.404{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78550D8248D022310A66873697E5B292,SHA256=7D89A46DA8C0F99A6C2C45012EE8F094BA585C79299375FF8F4398803DD78C5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:53.782{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65174-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001040791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:55.643{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED2A96591FDE14EDAEEC329515DF1378,SHA256=8841C7E08413FC69067A37E8D7290192B70008CCF4EA1EF9A59F1537CF7DC250,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:55.505{5EBD8912-81F3-6151-1479-00000000FC01}67606952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:55.327{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-81F3-6151-1479-00000000FC01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:55.327{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:55.327{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:55.327{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:55.327{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:55.327{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-81F3-6151-1479-00000000FC01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:55.327{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-81F3-6151-1479-00000000FC01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:55.321{5EBD8912-81F3-6151-1479-00000000FC01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000970528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:51.180{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com16572-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001040812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:56.958{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A69B00E9273AA383D496F48F1B2B3887,SHA256=FD1661FA086EAAA4A73E0158D94D5BAD6237DF3CA20960F7D85E04D3BB42D043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:56.758{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4E1F4E9BC088A01289C2E58A6CAF07B,SHA256=BF0443B21FD96C67B73544A963C9B3AF82F6A553E45E8C75C1246A8AC2D0D171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:56.763{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75396B0D32EEB17B026494F9D008390D,SHA256=D77479541383B7FD137EE4535FA8D4260566307310990C5394F33B843FEF5629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:56.419{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE83D3E4BD38B2A7EF67412952481FE,SHA256=ACF019FD1502D18EAFDA3AA371CC170A07B52F3FFAA739284408C20873A7591A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:56.658{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-81F4-6151-1679-00000000FC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:56.658{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:56.658{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:56.658{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:56.658{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:56.658{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-81F4-6151-1679-00000000FC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:56.658{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-81F4-6151-1679-00000000FC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:56.643{5EBD8912-81F4-6151-1679-00000000FC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001040802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:56.105{5EBD8912-81F3-6151-1579-00000000FC01}44482912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001040814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:57.773{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD76DA1482650492E228281388705171,SHA256=25D2E499A071ABF9CB3F34DC2AD410559966E0A54EDA49BE180912368463ADF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:57.435{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C172551F2B24CC740080CE7BD3735E1F,SHA256=FD30C886FA4A7C595C80B27C1F24EC7A3540D759A450B9666F8B7E7C302DB306,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:57.305{5EBD8912-7F2D-614D-0B00-00000000FC01}6244740C:\Windows\system32\lsass.exe{5EBD8912-7F11-614D-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000970533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:53.935{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52229-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000970532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:53.578{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52021-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001040820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:58.856{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FAED5E7C2476D56AA67329F6587A831,SHA256=3DE5B0FDAA9F632BD5258EA9254E11E6F064008A0F4FFC63076F041C424DF11F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:58.435{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C52BFFF0E5645D31A980D2493F1FEA9D,SHA256=AA5D7DF24AFAE67C74A11191F451987618D26EE442326E8562D21F1F7D2657A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:56.908{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local65176-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001040818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:56.908{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65176-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001040817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:56.900{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65175-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001040816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:56.900{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65175-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 23542300x80000000000000001040815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:58.226{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF9719373557473FE15FD2E73139DB2F,SHA256=6751C6ED46577B0A09FD1709E883B459BD8A0B140C847D18755E2DF32437E69F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:55.864{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58930-false10.0.1.12-8000- 23542300x8000000000000000970536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:59.450{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F82AF7BA5F40204BA89A0F4FFC75A7BC,SHA256=CBA300F8BE0A7CDE0F3C141964DC5B1C1D71E0A8E95F9D0F779F53B4D376D08E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:00.466{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F0ED46A0889E33590482911CB209F4,SHA256=464B990BFAEF1BF104C5365E8AF959320EFF6A83B20CB39E01E0D065E8134470,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:00.071{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF77EF75D11CE3A66CCA689595C88850,SHA256=503D76FEB716C4F4E3A1E7E2EEDE6BA45A91A1290C2645FCCF7C8FD3DCB17326,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:01.760{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6120614ECE96E15FFA144215A8141E6D,SHA256=C0E56CEA84BB919C0B2F571A7D5B03E63DF55128A7018CE932EEF9DB0875CF70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:01.760{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C4FF8CBEB7091664B1084C34E58E40D,SHA256=E4BD36B8871249DFCB7FC7218EDE22A8228AF7AB7791017BCD118C3896D8E937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:01.466{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=050B805C40685EAC7E1D0AADD102354A,SHA256=5A97834339AAAFB7CB9F3C7A5D72990C39EC1F784FE5E3F556D905B69D10247D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:01.138{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEB4C52D25A79D6D52A55364B0EAAD1D,SHA256=87224689BF45A78F9F985E9A8BB57D78BE736E598477B3BDA80BA3EF88111BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:01.101{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6495394B6D99A256DF290A92A2CE4A2,SHA256=C11BD0FD6274DDDFBA028FEA6E076C60D23855A5BFC4DEBC6F96A4F383208351,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:02.479{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BB263C9AA2A23A737040D523DDB420A,SHA256=234C34A0AD8AC216760CF64CF9335A90C810C4B1CDC1554B7CF3BA831E19ABF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:02.184{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF37965F4EBC5DA0A3DB3089CE49FBCA,SHA256=C40C39B1B2E87CB7AC4CAE395A3355E15EA3D3FD52855BF33E808D79DEDAA21C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:33:59.008{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-55007-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001040825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:59.747{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65177-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001040824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:33:59.514{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-56468-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000970546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:03.494{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F58FE22DB1B9307E3690574BBC0714D,SHA256=65F9C3ABB4FAAE992D506FBAF36D80E5376D201AACB16B1631A82179C8112AC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:01.501{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58072-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:03.199{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2486CD27F142D3A009AEAF41E07DD016,SHA256=77B7495DE93A05AE5A895D9D5F3BF4D975A3855ED69F3AC37D7FFF72A868811E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:03.291{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6120614ECE96E15FFA144215A8141E6D,SHA256=C0E56CEA84BB919C0B2F571A7D5B03E63DF55128A7018CE932EEF9DB0875CF70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:00.297{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56158-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001040827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:03.136{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=962C11E67B373F768E771BAA38166797,SHA256=94C43AEBF621AF91E9BF589E6987EF68B3B80357CF7FBDEF0CD2F3A1DCB7C63C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:04.510{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5B2E14BB457C55464FC7AB92604C5F7,SHA256=2B49559485CF3446E3039D5CA669DF4EE01A0B3049D2B5DE681886FB4BF61A20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:04.298{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C36745FB548A62F4716319A2EB3769E,SHA256=B8B4C640AE9A70040F8777A623FF01C0480E72A019A922CF4C9B7B82E1355A88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:05.526{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5009AE17EFAFB15F8E80C4059C40592,SHA256=D4F82D5ADA80856C7B3DBD979E6061EDC82D5C7D0D7A2CFE394932112AA69416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:05.303{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0399344436318DC7CF6380AFA7373FFC,SHA256=BD8476A5786513D4D407D0715613EEBA4EC3FD87E7FBD9B6E94216C1048C17C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:01.783{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58931-false10.0.1.12-8000- 23542300x80000000000000001040832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:06.371{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F764E08618D5AE98F2647546936CAA80,SHA256=8DADAF40B466A7E4FCF60CF1F2DF47F300F4ED66CC920ABD959795574C2B0E4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:06.541{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=451E19C8D785E9D1F5693C2954D0DA77,SHA256=6419CB96988C085068CF1A53142D3EB5528A419D253E16E247C5F702967E56CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:07.549{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0560F5673A379B3E52432D3E3AE6DABA,SHA256=5C1B9FB27996230A4E6C7882BD34312F456BD8424BB5E01FC9BC8C5735AC7542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:07.386{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F787FD64B349EF65BB83AD46C5B3E4B7,SHA256=7F5A19E82128953FC3960C90B95E845A547CF0EFA7C42BD754276BF738F50139,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:04.904{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65178-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000970551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:07.127{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4271MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:08.659{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2568B36AB1A1FA788BB07B2809FCDE8,SHA256=3F84E8B8085F1F9F853CF43EE997353189BD42FD44704B73C5A57F69A5EAF132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:08.659{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8329DB75D77B1B51945ACD6251A44392,SHA256=6236148406530373533B85C3F7466E56E397038CB7BA70F6CD93542F4B51870D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:08.563{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D93C011864A58AD9179530066CE3EAAD,SHA256=F51762DD46F4B43626985FE713DF2A0A471F9B565ABEBEFFB8278A913D3A617C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:08.400{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEEC524EE42C12E172F5A1E28F3EBEAE,SHA256=CD45EAA5B4A68DA450E2E4D2CDDEF0127F5302C49DA45E5A78AA496BD0E01062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:08.128{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4272MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:08.353{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=EC195894961B9583DB2C98957115BEFE,SHA256=FE5A9EFCB4765594CDFD9541E4F969C09A87BAD83C49E18B77B093A59D33E92E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:08.353{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=E907D755DF2D2C40B11D8B1B317D0D11,SHA256=6E274E0E2272D58D774833361627215B6CED9CF110CD96166C95D44F6DDEF842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:08.353{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=64CDAAF84C55DFCA00333BEDD3E80573,SHA256=47D6899518EB653FBBCE10F7AD0A77DD31CF479B694D564DA8560595F8BE56B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:08.353{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=3EDD3EBBC38D41646548C64C06DD6481,SHA256=4B962A5D8AA2DBA71B5871E5CF82638579B1DE4FAF5CBDB2E911D52BAE661FDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:08.353{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=64AB90B34A2C74F5E618720C75BB3A8C,SHA256=D9F9A2C93DD2BA56591BF8ABEB50434C2770928A29CD6DB66FC265A040CFA254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:08.353{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=DB7529D31744D11644448EDE89F52DB9,SHA256=1EABA32BB0C8122F1B4C768C3E835FC0D0B5AFEDA619F29B27248A60A3AB17D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:05.905{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62035-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:09.565{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=760489141FD6B3776EBD7D3FE3D357E2,SHA256=3041A8332A6DA736647F43ED55D60CDCB57692A4B28E53770565545637BB46FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:09.638{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F4D0F038539A32881CE439CEB2CD716,SHA256=D2A8CC71248E503095E039637B2D26B79F0206100C28CEC77E2451834250C180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:09.638{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01C28C361468F598E6A12D658A011517,SHA256=16841378B21A357487E6340C5E1CB6FF3595135ED28C26BC8CF3028BB976B698,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:09.403{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8892DDD70D8B75D4B32991F3548A6600,SHA256=8F2B45F05DD63A5520148D82070A5A01BE794B9089AF0E23D72E5A75501CD69F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:10.418{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC8AA66C775DD68B155EFDA86430EAED,SHA256=74ABB3C382AEDCA7202AF97533E0E27F8EB54B643BCF8475D1EBB9416C280786,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:10.674{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2568B36AB1A1FA788BB07B2809FCDE8,SHA256=3F84E8B8085F1F9F853CF43EE997353189BD42FD44704B73C5A57F69A5EAF132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:10.580{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DF264CE4BCFB836E9962FBB3342560E,SHA256=8F17E230135B36476E2FF99EC9CC312A0483B3A596A3691EBE41D5ED3B0C73AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:11.436{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E3B284FA5D93DD277C163573A8D8569,SHA256=7DE8AD32799C58A26D7FF673730236CB1307A9619A85485C79E1D8371FF3E3C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:11.580{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C72AC8232FD281C4DEEA57526301621E,SHA256=A0B35D5F886748E501B487390FB72E0405A1F1713CF3452133D6F5CD1CBEDFEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:07.306{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de50456-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:12.862{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:12.596{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46B3AEFF506F7DAD49F4CB88A2D4F283,SHA256=1BABE7CF6BDF82EDC7C0ABBE02314336EA30C20F4BFE2363545250223E030122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:12.505{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=166BC40A8CD35D2FC3279779B41BE087,SHA256=3B2BB7195E3E2B50F3F7C49B348610FEC15FD291474F455BE5CFBF08904BE41D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:07.947{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63588-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000970563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:07.760{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58932-false10.0.1.12-8000- 23542300x8000000000000000970567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:13.612{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF45833796371D1ABC9EFF71ECD5BCD5,SHA256=174F4E246F494D09989403899EF80B551BD3A99C0213B34C191AEC04923FC872,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:13.524{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB4EFB860CBE79E955C0666D32B0DBCC,SHA256=B071304B53AA130D0827CF2CA98242608EADFE1A1D520F04ED96B4F200D46191,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:10.844{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65179-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001040850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:14.557{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E166CF559902C2704D605F76ABDAEAC8,SHA256=88CADB87D7A17928ACE5075EF140BD8ED482FD97D86688285E682D422C94A0DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:14.612{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F21AED6F122F5594413FAF1A99F4D047,SHA256=9E7F80773F55A67B7BF12FEBEDBB1141E8363EF871A0F97D8E598D6E55C93443,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:11.494{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58933-false10.0.1.12-8089- 23542300x8000000000000000970569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:15.627{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA9387F0DB3F12C7B56E423BEEF762E,SHA256=BA7901C470A0F405A14C19244E5B3A90B3D0CB0381D5F652FF13833E47A5F4C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.688{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47EA46766043B6E628CD31B80DE9C46A,SHA256=D557ACBB075DCBDF4601AC02715046F19D687E6F8C5E6241911CC02BE73494AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001040852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.257{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11ED4969B4C337D41D144EE5E5BAC308,SHA256=AE74F65AFF65F40799F136F9DD14A8AFD84A0CD781B2A230C4E4675261B15E7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.257{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F4D0F038539A32881CE439CEB2CD716,SHA256=D2A8CC71248E503095E039637B2D26B79F0206100C28CEC77E2451834250C180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:16.973{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11ED4969B4C337D41D144EE5E5BAC308,SHA256=AE74F65AFF65F40799F136F9DD14A8AFD84A0CD781B2A230C4E4675261B15E7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:16.703{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF5C733709693F41E1005BCB978A92E,SHA256=E838559A0ACFA365BE85DDCED2D6C8E15E189182630F26221753A8005E1BC7EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:16.643{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32B6F8FA98EA9A2C4E708EB3AA66E9F5,SHA256=DB1BDCAF893825BE0A542369B08B8D58979595923EBC2E0B057D6E5E433E9FB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:16.456{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001040887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:16.456{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001040886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:16.456{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFfabd2db.TMPMD5=A17B66D50B2357EACCE2ED2DF6BB26CA,SHA256=94B227138FA3BBDC703334C2B58C4ADB8CAEEC359A8FC16A5D99B6841C804924,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:13.616{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63881-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:17.823{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD21C8578E2D2DEE62671D9D871007F3,SHA256=4480AD950D73597BBCBB5AF18A27EC1C887E5A158D5C1331267BCA5097C562AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:17.659{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=920C64D4935594A3E09FC5BB448EE1B3,SHA256=7B9E0A5EC2C217D5819EA2A62C5B7BFD000945B4904117DF971608EC182DE675,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:17.419{5EBD8912-7F30-614D-0D00-00000000FC01}8884380C:\Windows\system32\svchost.exe{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:17.419{5EBD8912-7F30-614D-0D00-00000000FC01}8886076C:\Windows\system32\svchost.exe{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001040892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.664{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65180-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001040891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:15.664{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65180-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x8000000000000000970572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:12.854{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58934-false10.0.1.12-8000- 23542300x80000000000000001040896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:18.840{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=693635F1737D0BBDD557E8B358C84A41,SHA256=88FC6791CAA2246F23789AAA4A7351A62BD8FC2DB95688458B46A25ED870583B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:18.659{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=922621F88701DE94ABEFA9DDA8916736,SHA256=94351B5EAF370C8C0132CB80F0CA6CF23ABE0C02E0DD48FA1D92CA8ECC94C76C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:18.424{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C23365973B2EF34C6E1064F282675EBE,SHA256=823553299DAEF1C2C4639EE30490F239DCDC4E6696252D3911A41B754BC7C0CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:18.424{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D967D8DA6A569C222078DFCFE39960A6,SHA256=F70327224D9179211EB91C807B1622D59C223391E56CD5D38B3A4134D2996CA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:19.674{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C700A43183BDE7B7C51ECC53BAF3C1B,SHA256=2E34CFCD0853D1315C4FA85FE81C22021990C902D5BB0EE2C3077B4262C75136,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:19.856{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE5F9AE7E7337BA7BEFA6DAEE4C4E6B5,SHA256=77BB7FEE88D4B6E364B8ED27E65A8C0C21A0BB99216FD6A30059DBB6C45EFA5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:16.764{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65181-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000970577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:15.617{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de58945-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001040899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:20.921{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C3DD54D5A2876529D2A46EE639401FF,SHA256=C1BF6C0C22990FB7EFE875E5442BBDB44737C7FB95E3B96D206DEBFF7030940C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:20.706{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A578A34F062DF52CC892496934EC713,SHA256=42B6AD3D844A4763B4C06B78CC81A6E8EFCE4EFBD937073F83E90407050BC8AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:21.934{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C95096BA398E3CEC14D46A20451926B,SHA256=8970B4921CD01BA07A66FA3E1A20434E3CC559CD184A3056F49C902BB986AE26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:22.120{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=566BCF356A1575484C4BDB0C7BB25D2D,SHA256=51FBBB14EDB843FBCF53A75010FD855A90F423476971FBA3C315A8BB36801599,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:18.822{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58935-false10.0.1.12-8000- 23542300x8000000000000000970582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:23.168{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44DF8459EBF09365689BA3A0E0576654,SHA256=0446D44A0BB235EB6F2CBC7EB02115BECD549BDDE23CC6B2F636265FFB1C6CC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:21.908{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65182-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001040901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:23.184{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D8E92B9DB7A5A2A7E60E08A6E50404A,SHA256=5AD32101892EA884C39046D9E1268B6BBF6C11178F6AEC3AF7320B81B48270F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:24.465{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFF4A9C20C648ED70BD187E5DF9653CD,SHA256=AC884FD02506112F94B949B72871E5CE03580E1B66FA1108D1B1CE3A8FE7F37A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:24.465{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C23365973B2EF34C6E1064F282675EBE,SHA256=823553299DAEF1C2C4639EE30490F239DCDC4E6696252D3911A41B754BC7C0CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:24.387{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8C2C5B43CA0325BA90ACD02974B929F,SHA256=10EE5B6BE779AFC4F6974F46BBAB2A13870E1211FF75F17552157F93122744A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:23.064{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59447-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001040906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:22.338{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52889-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:24.217{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46426A702C1914FA9130BC7AE2D69F36,SHA256=D59CA499B3F481D0085862E4422CAF8A61E2FDA9A9BFDA3640A4CA23BF705096,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:21.666{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53119-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001040904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:24.083{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E6267BF03063D0A6DC61997A479FE06,SHA256=6C0E3E6FF4F947C1F3B6FB10FA5FBD8969F0C435AAE21E5C983FEBC4017F86C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:24.083{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCE9DEC326C976E41956DF71F59D114C,SHA256=37061736FD1197DC6C94D67027F53F914F84738D965781EAB6BA1EE689DBC58F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:25.605{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E77254063879CD5DA4561E8DBC40036,SHA256=20B9F69B4B226345C5E7BED98698278F1C1D6C01006A1E03920B5746BCD18B79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:25.250{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DB14BAD2FA99D7671384CC3B4DFE20B,SHA256=00087CA912A87BDBA83BD99B3329543F7EA566A09E552A99CCAF213AA059DF9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:26.965{69CF5F33-8212-6151-BC78-00000000FD01}3424712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:26.793{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8212-6151-BC78-00000000FD01}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:26.793{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:26.793{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:26.793{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:26.793{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:26.793{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:26.793{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:26.793{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:26.793{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:26.793{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:26.793{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8212-6151-BC78-00000000FD01}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000970604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:26.777{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8212-6151-BC78-00000000FD01}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000970603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:26.779{69CF5F33-8212-6151-BC78-00000000FD01}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000970602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:26.730{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=799D34D59D1AF04F6BD10048F0C0BDE2,SHA256=CE86256821869F84B8761A926D667E0DB3E0D03D992967C201569A2C123274A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:26.281{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18070984918511404668561F251DB933,SHA256=9095A1042076527A263B19B0602EAD0F22413120E07E1FFF3164D757D1D778F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:26.496{69CF5F33-8212-6151-BB78-00000000FD01}30281520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:26.199{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8212-6151-BB78-00000000FD01}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:26.199{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8212-6151-BB78-00000000FD01}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000970589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:26.199{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8212-6151-BB78-00000000FD01}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000970588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:26.184{69CF5F33-8212-6151-BB78-00000000FD01}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000970631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:27.902{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F793AE89D8367899EC778231356A2EA,SHA256=3094F78E224EDB72FE90E5049E3F63E12356E4F53DDEAF8FA7C3B65AC45AFAE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:27.349{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B713BFF9F1ED5835E5BEF733DDF7E04,SHA256=66455580BE3E3C8C341D7637A8659CE2D549937B1F29426BDFBFAA788B7DECBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:27.418{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8213-6151-BD78-00000000FD01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:27.418{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:27.418{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:27.418{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:27.418{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:27.418{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:27.418{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:27.418{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:27.418{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:27.418{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8213-6151-BD78-00000000FD01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000970620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:27.418{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:27.418{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8213-6151-BD78-00000000FD01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000970618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:27.403{69CF5F33-8213-6151-BD78-00000000FD01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000970617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:27.199{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFF4A9C20C648ED70BD187E5DF9653CD,SHA256=AC884FD02506112F94B949B72871E5CE03580E1B66FA1108D1B1CE3A8FE7F37A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:28.379{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=090522614043944460332328327FD8F3,SHA256=A27AD9B73BF4DA8381B9115E2B917A605AA3E41455F2E0B155D413EF60719F74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:28.809{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8214-6151-BF78-00000000FD01}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:28.809{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:28.809{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:28.809{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:28.809{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:28.809{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:28.809{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:28.809{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:28.809{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:28.809{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:28.809{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8214-6151-BF78-00000000FD01}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000970649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:28.809{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8214-6151-BF78-00000000FD01}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000970648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:28.794{69CF5F33-8214-6151-BF78-00000000FD01}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000970647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:24.785{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58936-false10.0.1.12-8000- 23542300x8000000000000000970646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:28.418{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B041EAFB12A08BDB793BEA8855F0C6A,SHA256=DB0D9F1000BBB72B093DDB83C48722B4A55A9C0A571F45897B38E4382AF0F44A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:28.293{69CF5F33-8214-6151-BE78-00000000FD01}10442812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:28.121{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8214-6151-BE78-00000000FD01}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:28.105{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8214-6151-BE78-00000000FD01}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000970642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:28.105{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:28.105{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:28.105{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:28.105{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8214-6151-BE78-00000000FD01}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:28.105{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:28.105{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:28.105{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:28.105{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:28.105{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:28.105{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000970632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:28.091{69CF5F33-8214-6151-BE78-00000000FD01}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001040912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:29.393{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA1B0B543E70E5ACA7C8A4FA3FEED68,SHA256=B3F2F7B49AF978C127C3D36CD8113C1831DFFFF12F53615DD8DB06CDC5446DD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:29.699{69CF5F33-8215-6151-C078-00000000FD01}24603076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:29.496{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8215-6151-C078-00000000FD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:29.496{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:29.496{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:29.496{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:29.496{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:29.496{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:29.496{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:29.496{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:29.496{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:29.496{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:29.496{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8215-6151-C078-00000000FD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000970663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:29.496{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8215-6151-C078-00000000FD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000970662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:29.481{69CF5F33-8215-6151-C078-00000000FD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000970661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:29.152{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34DC1E5C56B5C859C0DCB3836BF9D084,SHA256=A72935CF4F1D68EE8B425578119981F99E3FBE517817ED879CB6B3F28073C1DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:28.972{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56975-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001040914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:27.786{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65183-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001040913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:30.410{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC9C66196C738D7E397EB05816F8157,SHA256=16EFED025CCF24464039ECCB3D08B9B5092AB844B0536B86D20CD1AFC2FDEF21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:30.387{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F61608CD5E3B82F278DF9A90167DBA9,SHA256=E46B38331AB887EAB295A4AB17755F29AEE908BA685381FE5F2304ADDB3B3DB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:30.012{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5945AE3200D80BC9CCFC683690EE3675,SHA256=765576F69E7796B885A8E51A0F46444403E86C3C14414302D41A3F9AE3088033,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:31.445{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41561946271FA69D22F389A7677F58CF,SHA256=2E9D316293BB1A64D0EDB788B551D04DE6EF7FEB87E45D0D20F9BF0ADBE88C37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:31.449{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D95DE9ADD6F618D6108F6F7455C3991D,SHA256=E8EE29F3E1080E50E68831E166F0DD831A5F974B968193CBF1BC1B1068BDA624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:31.361{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=174537EBEB636BCA3EF3C98CC1AD634E,SHA256=9ECEA03CD43C1D4B329DFEE0DE4A3B5EF306B1BB4B786B1068D7269DEB6F0D25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:31.361{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E6267BF03063D0A6DC61997A479FE06,SHA256=6C0E3E6FF4F947C1F3B6FB10FA5FBD8969F0C435AAE21E5C983FEBC4017F86C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:32.543{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E608D4612C451042E90BA2BC88DE8565,SHA256=241311ADED76485BAD7854E63A7AD08E2B5681A0DC58D1109B7D1CCE6E363AAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:29.909{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58937-false10.0.1.12-8000- 354300x8000000000000000970682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:29.906{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58361-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000970681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:29.512{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64780-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001040920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:32.891{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=174537EBEB636BCA3EF3C98CC1AD634E,SHA256=9ECEA03CD43C1D4B329DFEE0DE4A3B5EF306B1BB4B786B1068D7269DEB6F0D25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:32.475{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC91600D6AB3172809D73DCF20CBF5B,SHA256=CC73BC3949DEE07476A8FD52DE56BD3AACB98B64F0FC55B89F18D770B45430AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:32.246{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E7640538C5E5D1A05D5CE65E3E9B8C58,SHA256=3D093EB29DF02EE6B0EEC1C27E00FE8C036B036F0827AFCBE519F60C4933FEEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:32.231{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1868953F1621FF5BD08D17347119943A,SHA256=B1FABEEDCAE7669DB10120770286FB294768CBE9C82DA75D134E92DD518D2362,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:31.202{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58495-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:33.509{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=026827DECE079A54271A2ABE0918B517,SHA256=0EFB878A3082C42C1705000D054FD557040139031CFEDA52DB935E11DA15685C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:33.559{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A8B24931E62D55A5EAF371D3078B903,SHA256=98318E79A4D40252CBAE2F5AFAFFF4883B17D13136E40819D5BDEC1275331A6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:34.779{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82EB0B08C1709C71EFE04992F121D15B,SHA256=76BAC0D5FD4F3DACCD96F86F30006AF5645666CFD2CD97B100E7EB96CC81B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:34.658{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37C9EB13F8EED51FB2375FA36C510FCB,SHA256=603695A694381143D6D71CDCFD52129ED396280197E67A949E8AC4B4EEC3599B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:35.887{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A16D7C836751C3E469A9DD2013E7DDB,SHA256=5CB84BD6E0E0FCA7BF1D9817388DDABB40E32B04909EE8C1B03F660B1DA064A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:35.742{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:35.673{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A61A54C1FD529965367A6BD04AB97D1B,SHA256=4108DB1CDD45433D4835DEBC19CE5BA5753383A3B4ADB1B49046C1263939E538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:35.575{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4271MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:32.898{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65184-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000970688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:36.887{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE22D8B2BE5FFBE4B97908CBDD713ADE,SHA256=77D05E903132C5A224CD805B3F2467773631A51D8B77305BAE8B087B502ABF2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:36.688{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFCF77F5BC6AA06CCA7604E5BD118130,SHA256=E0E0C121679E9FFB2787693F0BA6C59B336D78A41D373072CAE7BD4927EB72FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:36.590{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4272MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:37.724{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F7B6F95BDEBD8384137487DF1541931,SHA256=3361F6278061F5CAE47F2697DFE7AC12213B4A5B42BF3FF3B9ADBF54B616F2C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:37.887{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2C334C50038A3A3670E9DC4C97CAE25,SHA256=3AECC5BD4914634FFE5552229B44331FC18AFF9D37178F9D2B6F8F713DFA9BFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:35.418{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65185-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001040933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:38.954{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2CA8560AC4198DB2C1A66A5F6F383E49,SHA256=5F1048B5797F8F505A0AA834169AC33A02737C7D52580532B77DD409E9C90C93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:38.739{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C826CBCAC471C102E03664121D97D248,SHA256=669EFBD0E8E63E05CABD15ADEE17C6655765EC4E91A50EC4D7A1E36C863A476C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:38.902{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC681BB9F000E463B07313FF48214AD5,SHA256=6DCED1D2FB41348522EB9DBD1D135973D3A0F7661D790795670D7B40596785BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:38.418{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-821E-6151-C178-00000000FD01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:38.402{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:38.402{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:38.402{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:38.402{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:38.402{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:38.402{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:38.402{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:38.402{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:38.402{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:38.402{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-821E-6151-C178-00000000FD01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000970691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:38.402{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-821E-6151-C178-00000000FD01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000970690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:38.403{69CF5F33-821E-6151-C178-00000000FD01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000970707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:39.903{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88831DA13E457C88234FE7C6F468458A,SHA256=F31F513175CD00BE1585A46A8EA7A47DC2EC008C4F0D81D2CC156932E7181E7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:39.822{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D4D098416066D8C12AD7A88741F3F6D,SHA256=E360E7029BDF51399933CFA1322535062DC834BE2A11AB22C9342C75FAC6B267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:39.822{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB9573B22A601272C200C156FFA6E825,SHA256=695C50381A6CE27FBDAFF6EC77BB8A33CF0B2414445004EF737BB026F0E22018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:39.785{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48A41A01FC3C12DCA1F7708952525A30,SHA256=302D70739AE7A6786A9F361C3530500F7376BFB9F472F4EF7E600A42129D352C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:39.481{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D02E21C4FC4E1AD6357E0F4E9172ED98,SHA256=79DBDE35EA4C1C7C2001F21E3EF49FC86045057CD3F7DE23E01DCB8FA8A5E51A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:39.481{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB244D3417FB00111E6D78353432FCFF,SHA256=4EE24091C689E454B23E228E9C499C876928F6BE1E00D91ADCA0A6EE3DAD7B6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:35.863{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58938-false10.0.1.12-8000- 23542300x80000000000000001040938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:40.822{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B28E67938406C2EED789BEAA45EA364,SHA256=0437AC4988E20E026BFA19A8CBB513F9903C82DA347F663073EDCC2C8435B11A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:40.918{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8451290B7F6D370893044B2FA5FB9293,SHA256=18C874AED83D407633A5E11F5F4CB5982AEACC936FE17EE58D4536A4E6D283F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:37.879{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62450-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000970710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:41.923{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=699A8D3ECF20B594268AAAF08D8100CB,SHA256=061874189B77B29F411DEE06E133A8871A388BE9EE09406E563E613899D04768,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:41.837{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79BE15E7FABFFB72B4BA704A95255EDA,SHA256=09A613681CBED503B8FAE90EB61BCC5BAD79B60AF2A770B2D341F9CBB47BB22E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:39.442{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-56792-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001040940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:38.792{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65186-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001040939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:41.084{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D4D098416066D8C12AD7A88741F3F6D,SHA256=E360E7029BDF51399933CFA1322535062DC834BE2A11AB22C9342C75FAC6B267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:41.704{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D02E21C4FC4E1AD6357E0F4E9172ED98,SHA256=79DBDE35EA4C1C7C2001F21E3EF49FC86045057CD3F7DE23E01DCB8FA8A5E51A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:42.923{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E49BACC0C9C580CB4E1FFB3F83351504,SHA256=A0A6A5702F3934B8B94A0DB2D5F0CA982B29928A9CC17DF0A7E00F412F1D52CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:42.935{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B40D8A5366CD1E40A870D113A2FCA6E3,SHA256=499B6A132BFA7A72661D23204512B786CAC09B0030685CB86CF0AA8CD01EEA47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:42.851{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24CDB4E6C00E267241FADDEABEF05A7B,SHA256=1FCC00A9BD3E1BB866546D473C4374040C2D09867474E7C2E805A40091BDEBCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:38.911{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63801-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000970711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:38.869{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63762-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 13241300x80000000000000001040943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:34:42.236{5EBD8912-7F30-614D-1100-00000000FC01}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b37a-0x84939f41) 23542300x8000000000000000970714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:43.939{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6507A8CB36AB5F23489E4DA9406059,SHA256=4256472035547B899214099CEB820560232594E5CB0C92C4DB43FB4029F3A4D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:43.865{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C5E3001B163A7805D01DDFAAD9CFCC,SHA256=77E483C0B60C61648BDC8F1E6BBC77AF6BDF13995B1D538C67743746899097FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:41.291{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58217-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:44.965{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3785FFCDAC3AA5BFBAF2BF5AF141D21,SHA256=4110D52CA41BF72D3F779107872C6E37EEC25DBD6EEA5CAA37FAAB190E805513,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:44.880{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBBA35C778E45F2B8AC2AEB8DE62A5D0,SHA256=9AF09139C888CE98A4B645BF9F8CE48ED7DA042E30BE644E09E60027C44F4BD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:44.954{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=212E25EA0C315C6CDB12C4E222AA0FC1,SHA256=24C9C03FA675DC0A476449A08E19971576B788EFAEBED5FF04BDC4B138188AEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:42.467{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65404-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001040968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:45.918{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A016EBCBD4E16D6C346372F834AA406,SHA256=338C8C668E0840B5560E9A7CF6F0C4AB6269C02BB2C67311BFE060618C5579BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:45.970{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=005A5004D7E6D19E10D74809A4DF7AC1,SHA256=EE411C828B07D66DBE66F11FF7ADC96057CE7760C0DFC574EBD7A68C39213D3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:45.817{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8225-6151-1879-00000000FC01}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:45.817{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:45.817{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:45.817{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:45.817{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:45.817{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8225-6151-1879-00000000FC01}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:45.817{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8225-6151-1879-00000000FC01}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:45.796{5EBD8912-8225-6151-1879-00000000FC01}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001040959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:45.302{5EBD8912-8225-6151-1779-00000000FC01}14126020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:45.118{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8225-6151-1779-00000000FC01}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:45.118{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:45.118{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:45.118{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:45.118{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:45.118{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8225-6151-1779-00000000FC01}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:45.118{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8225-6151-1779-00000000FC01}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:45.097{5EBD8912-8225-6151-1779-00000000FC01}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000970716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:41.711{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58939-false10.0.1.12-8000- 23542300x8000000000000000970718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:46.986{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65EB64A200C7067583EAA37432207F20,SHA256=8B17FC1C81D970614C7A28F8BB09EF322BB8B6E78781DD3A216F1C1C8DD44626,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:46.949{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B22C2BC2285F46BA433E9676C032DE5,SHA256=8F1DEA22A346B62E1199D078A5E24E6D2A0C1A9DE5549385E746A65F798DD2AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:46.502{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8226-6151-1979-00000000FC01}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:46.502{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:46.502{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:46.502{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:46.502{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:46.502{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8226-6151-1979-00000000FC01}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:46.502{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8226-6151-1979-00000000FC01}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:46.497{5EBD8912-8226-6151-1979-00000000FC01}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001040970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:43.888{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65187-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001040969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:46.119{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80097E2219DC60928E6C7B51193DFCE2,SHA256=7C80ABF75239DCD0B5C83A1589C5237F13800EADFCBC0926B787F3A96F21481D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:47.979{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5FE53838DF0D71E7D568A2721244CCD,SHA256=6DBE53CA1116D4E102F72AFF4B9E1DC41FA2712BDBCCC6C4619727588FC6D459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:47.517{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D43640B00BA9F0015C6C7DB3D5D6681C,SHA256=404E3CAD14E4C71BC654A07DADF25BE53079E72EBF3177198488F8CDBACA8CE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:48.998{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1BEA9BCCBD75159CE35DCC3946BFD87,SHA256=868DB9109E792B58D979DDCC4D8DFD2B01FDB0F0B77AE7B930B48EE657BA1EF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:48.423{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2460A94381D711C9FB487C02DD1ACA04,SHA256=DAB32FF2FE629CB1B0EEA4C5F844D7836D3209ABC1320AAD3BB224055BF5DD45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:48.423{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E111688B5CA95A56F4801BB3738B7FFB,SHA256=79ADB48C7A6754CA3DF42A3C7C85A545659A2F6FB808AA20C74D5D8DD4E89FC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:45.765{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51603-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000970720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:45.749{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62236-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:48.001{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899EC54840FF6E908AC15C60001464DE,SHA256=9DBA29EFAED1EF44BE3A575CDF2AFECD7EE49EBD337872B68F294E6C4203F760,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:46.899{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58940-false10.0.1.12-8000- 23542300x8000000000000000970724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:49.017{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A994EFE1A0D91C9F38DDCFDA7449D4AE,SHA256=7B679A691C417DECF56685E8680076272590DF07A6CA10188B483F6D341547D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:50.015{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44B58415AB5B7FAC22FFE08C8A2F06E2,SHA256=B3C6870CF0772EEB351EF8687791D6CDA8F78396B015FED6C0E167EDB8F1CA0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:50.251{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2460A94381D711C9FB487C02DD1ACA04,SHA256=DAB32FF2FE629CB1B0EEA4C5F844D7836D3209ABC1320AAD3BB224055BF5DD45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:50.033{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5AA9DDA587C73537843EC41235ACBC7,SHA256=F26DBE0132B488A1E65C5F88C68E0F1FF6B2E58AA318C25F98C629CAED0219CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:47.597{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63573-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:51.033{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E4FBCEE60476494016F3AE1AB50B9C4,SHA256=6B1CF2D75FADA310927032CFC688CF52C128117AACF6F442124D86ABB780E766,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001040985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:49.769{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65188-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001040984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:51.046{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F44E27B5818554600E4E86BF3764C3C2,SHA256=FC385B43859B31AD05B6F618683F494E630B711E622C34E1F80B3B51C69089E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:52.076{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D06530B68F09961D4DD8FE7C58506D9,SHA256=08F62A8A23E93C7ABFDC67663B8CA66191A608B4CA96EA936EF7168A834570C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:52.048{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=953646937B50EFC432D513D6FC5048AB,SHA256=E97DD6F8D811E095ABE4D048E47EB31CDB3AA54587FF46D92A85F23C97679940,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000970732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:34:53.408{69CF5F33-7F28-614D-1100-00000000FD01}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b37a-0x8b3c4067) 23542300x8000000000000000970731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:53.064{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11545284DC95B36294B8E64CEC0322AB,SHA256=CF0BF466064C391A782A61E256880E73351CE84682B8B655C50C6A8B1A0BF31C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:53.094{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0DF2A92BC5789BD35C57A74175B955,SHA256=09C633964F46C6881BFE1D64599AEE3E9255919C2886F91F81B53E17E457B788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:54.079{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DCD7248268AF33C68F58A66876F5513,SHA256=1F5952C73FB3B95FFA36D0C04503DC646C6E59B836C07A6C39F7475CCB48B50A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001040997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:54.842{5EBD8912-822E-6151-1A79-00000000FC01}58805136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:54.642{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-822E-6151-1A79-00000000FC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:54.642{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:54.642{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:54.642{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:54.642{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001040991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:54.642{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-822E-6151-1A79-00000000FC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001040990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:54.642{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-822E-6151-1A79-00000000FC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:54.627{5EBD8912-822E-6151-1A79-00000000FC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001040988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:54.112{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=061BF6DDEBCD9714A65F1E71C5245833,SHA256=10407D7C7466303F99631AF648026D14C79B4D42E691B92F559469B0F5E24354,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:52.992{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55959-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000970735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:52.836{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58941-false10.0.1.12-8000- 23542300x8000000000000000970734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:55.079{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=543C4EDBFF5C43CD0049A0DE84D118B6,SHA256=15CF01123C79323FC2583E1E1B28D4CE2F9F7F3F188D5A79B0F14A8ACDF7B915,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:53.371{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-429.attackrange.local138netbios-dgm 354300x80000000000000001041010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:53.371{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-429.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x80000000000000001041009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:55.641{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62D6F4B133C2021687BB2B947BC9710A,SHA256=FAEBE11FA1F08BF73C5E6024D37749D79635CDAC8051C2383728AF0C2C99409A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:55.641{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06ED3C2B7E880219FE6372827D19A0C0,SHA256=CE3D632DC723C2F35DC645395FA7A674A45A1117E19AE9CC4E1C97D87A13AD89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:55.494{5EBD8912-822F-6151-1B79-00000000FC01}59086328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:55.341{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-822F-6151-1B79-00000000FC01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:55.341{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:55.341{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:55.341{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:55.341{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:55.341{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-822F-6151-1B79-00000000FC01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001041000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:55.341{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-822F-6151-1B79-00000000FC01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001040999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:55.327{5EBD8912-822F-6151-1B79-00000000FC01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001040998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:55.157{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0E05D1FD1258135B49021F6483A09CF,SHA256=3A0A32BC2948D6A9F2E4A047F2E3BD6C886A192BAB7007ED2D87FCCB30D5981F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:56.909{5EBD8912-7F30-614D-0D00-00000000FC01}8884380C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:56.893{5EBD8912-8230-6151-1D79-00000000FC01}45004828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:56.740{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8230-6151-1D79-00000000FC01}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:56.725{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:56.725{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:56.725{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:56.725{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:56.725{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8230-6151-1D79-00000000FC01}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001041023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:56.725{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8230-6151-1D79-00000000FC01}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001041022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:56.710{5EBD8912-8230-6151-1D79-00000000FC01}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001041021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:54.864{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65189-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001041020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:56.172{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359D6C3C9C77A46F83254B95201C7E7B,SHA256=2BB0BD6BE600ED6C4423032FC22BE5BE55E950471D9F3E0A68AE278DEBE06FEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:56.704{69CF5F33-7F27-614D-0B00-00000000FD01}6241036C:\Windows\system32\lsass.exe{69CF5F33-7F0C-614D-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000970739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:56.595{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A74C2719BA5987203C62EC2FCF9C9F5C,SHA256=558F1BC0F6A57B2133670E286A4396895046097449CFD27D63212C14C4E5A13A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:56.595{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3CCBEBB38075168B6BDA53329207021,SHA256=9C225BB67732ED51304287C9F3245A8430CF9329EE4DD548D0D196BE7C402FEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:56.095{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FE802D1CA06C38E71B09B7316AFD396,SHA256=37E528A7204ECCDD2E54122DCB59642218B9C6E2C9B403F9F166198B17B2CDD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:56.041{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8230-6151-1C79-00000000FC01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:56.041{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:56.041{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:56.041{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:56.041{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:56.041{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8230-6151-1C79-00000000FC01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001041013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:56.041{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8230-6151-1C79-00000000FC01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001041012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:56.026{5EBD8912-8230-6151-1C79-00000000FC01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001041034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:57.196{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D71157D22875BD6E065FE402DDFFE722,SHA256=2B8463C12C42D0F0B457AB768F0106AB768D83A6F48F5508FD9F51B6C3317C5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:57.111{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA2D0DA114772AD17DD21FD991F2A0C,SHA256=8A7241371A917F169C3764422FB17ABBF08EB74437AB5ED3E24BB57FCE8A7FD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:57.040{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62D6F4B133C2021687BB2B947BC9710A,SHA256=FAEBE11FA1F08BF73C5E6024D37749D79635CDAC8051C2383728AF0C2C99409A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:56.909{5EBD8912-7F30-614D-0D00-00000000FC01}8884380C:\Windows\system32\svchost.exe{5EBD8912-79BF-6151-DC77-00000000FC01}5112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001041036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:56.411{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-58942-false10.0.1.14win-dc-429.attackrange.local445microsoft-ds 23542300x80000000000000001041035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:58.212{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D52601DFBA80144A8B2B3EC65772A62,SHA256=929F0BF4978E3EA888D2B3F6DCE8DD89E5B5DD0136F96FEE3992DE2CA560D063,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:55.355{69CF5F33-7F0C-614D-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58942-false10.0.1.14-445microsoft-ds 23542300x8000000000000000970742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:58.126{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=820B85A46E436A9BC1A54EB1297800D9,SHA256=C9B1D53AE054C41E4287EFBC47F723DF756B40639B39AC4083BD8CE53EA6C38A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:34:59.243{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5636F1BA292CCFE90BB12A598F71AC8F,SHA256=C2B3CD3268C18388B26E7F3A0769F3C817BC8529B99BC6CE565F2D06B86975D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:59.126{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45662F62E16A30973552A6C7839974AB,SHA256=11AF929052A8EA2746FBF02D6093508D496CA903AFC869FF5392BF057302DCA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:00.310{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB90A5EA954AB9C551CE25FB51DBF932,SHA256=23AEC5FC684C9CE0A13247CA9E4803E2A63F78F34072EADB4930A783194ED174,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:00.142{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53EA68D815DFC629FD6916CD7EB1E234,SHA256=2BFB77959F45C83B6EDFEE92A1F4AB9A25F14902967DAAE5DCE358ECBD6FDBB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:01.825{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCC049F1040903D381D0E3207D02680A,SHA256=B204EAA2EF902AAC9668D8BAC0D880688DE5D6806371C39F1318F20DD8E8AC9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:01.325{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1197E29AD78344CD8BEEA64F6A7D83F3,SHA256=8C2A424A80A00DD480AF4FD8D751E161F0F3118A45ED22AEA5E1C117B9307F41,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:34:58.789{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58943-false10.0.1.12-8000- 23542300x8000000000000000970746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:01.158{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89C778F2BCC6AECED672375B8CEAE3EE,SHA256=C4329CD29A2CF0091AE02B8C7AEC3DCDB8A2CE1F5A76ACB589C79D47A3574DD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:00.832{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65190-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001041042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:00.039{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59621-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:02.340{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9698849846F8CBEEF84514EF0B9E9051,SHA256=C44DE18D32C2405DE3BDDD2C89043193DFFEF135B6E973825DECDE7F67027657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:02.160{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B139299A06F6669CB340818E8978C904,SHA256=5B0502E7D7520269DF1A9FECB0152A4B9F8FD7260418D09037CFC64662ECC48E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:00.506{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-57750-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:03.269{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B4537D960E9EF4DBAB8C1FB6B2221E2,SHA256=55E0C1741BABC80284E10F47D71355A9D198E0DBE9744137DD2B7283C6083217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:03.269{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A74C2719BA5987203C62EC2FCF9C9F5C,SHA256=558F1BC0F6A57B2133670E286A4396895046097449CFD27D63212C14C4E5A13A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:03.175{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=152ECFDBD38BFFDAE8D7B11E37A26911,SHA256=FBFDA662D4602266FE95547D9B837F2AE3E8EC22D9C48DAF5B9C33937D2BB911,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:03.354{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E86328D13FDA5D0515463ED176973A,SHA256=8C8A442501D0A36BE6FF56734984AD307E2E358ED8A705BE408892FB9BA1309A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:04.988{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD5EAEBB831E7E699F177F52FE267DF2,SHA256=640CC908EAC42A8ED1CD34E8197F1EF1467355043D1749F75C3CC25613157F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:04.387{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FABEC6FFAA13E24F60A7EB1D56941F3,SHA256=7735ADBC13FEFCC50305F5E86B011F0A3C9F95FD4CC3AF1D90D61F88D1278661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:04.191{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=355FCF13171A2677DE6938E4255736B7,SHA256=CFB1B337D675CC6311963549379F82FE885B2ED838DA8CFFBD6695F57CCD878A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:03.364{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59776-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:05.437{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2064E2BF83E6E509DD5236BAAB35C837,SHA256=F0CBDFF5781EC3F4FD7C12AB90CF1C1849B49774AB91C3B3D5C92D9E004F2B72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:05.206{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8543BA6587AB7E3D492442F335DAE680,SHA256=9A79079EFEBB3229ACD5EE69793320142F8F8115CC477705CF4222F6DB9D707C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:06.452{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F76F55CA1BAEB9236BF4EF4BC0212E5,SHA256=44423A56B85E5A85CE70B4242F1864B01F770284D0AAD2A5AF00AEA7C82E77A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:06.206{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3274A49A72AFF7C0CA5FFD2B7BAD8A0,SHA256=91942214B4E8A710CBBDCC215F5875434E5ED013DC2CF48E511A427ACD3C8B0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:05.928{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65191-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001041050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:07.467{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6F8BDB697D382244FF7C6C2B07FE455,SHA256=31EB5FE98038E364D38D87FC5DCEA9BBE6AE828AD81366D4B9C95CD0402DD277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:07.785{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=55E8777066658CE93AC091314A0895F8,SHA256=13736469974F1F1529E7B445107D9DF935E318B89A7E7A633925FFCF3B74CC5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:07.785{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D208EF5E436D9E3884427164CF3A5205,SHA256=B843BC22547B4CEF8296E9EF5585C7693064AC4038DF05769D4EB38E1180AD3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:07.628{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:07.628{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:07.628{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000970756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:07.222{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359CC7F6D1950F413831F016E199EE30,SHA256=E863AD024484E050DE191946C8F1D57901EE53093F3D7541C5F64331D4548DE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:08.752{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE08DDCDD46DBC5938B706A7E8C69809,SHA256=E34C1EAD55C6A6DCC1E695C227A57BA9BEF73DC9A830AC59C83CAAE85945D0B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:08.467{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24AD58A4E510369171B60008981FAD2F,SHA256=63460B23CC25ADE000100FA22255F110300816BBEC974D8816AD15FB6ADA23E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:08.647{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4272MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:08.223{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EFD0DB5AD0CF21B098BBE50EADFD4A4,SHA256=A338937B3004A01E29A92114D79E6D2542263888F63A7B90B82223E0F46840F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:04.760{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58944-false10.0.1.12-8000- 23542300x8000000000000000970766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:09.662{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4273MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:09.239{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF117A987FC27ED1C3294F902053EC6C,SHA256=C152F5F84EE3EFBB16E9496EC9C4A69E6E80808CC96A22D086E8045CC9593B49,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:08.046{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64527-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:09.486{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=260182EB9B5A66CD8C5D67C61EC5B7CA,SHA256=EB5A8C83D2ACBDCC2CB59D9F24030EAE338756BC3AE102FDC7C7D8780F4E0163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:10.505{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6987B244F8BAB00D8243321D42D586FA,SHA256=DF433225CB2B3B4427B70D095F06CBCA177762C7C90278C4ACBD969FF43B4252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:10.662{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC2D30ED62FB4B4CFD62B5B31950F836,SHA256=9C50E7BCD9FB3AC16737AAFEF86C1AE265E2344D250A063DDCA356290BF4D1E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:10.662{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B4537D960E9EF4DBAB8C1FB6B2221E2,SHA256=55E0C1741BABC80284E10F47D71355A9D198E0DBE9744137DD2B7283C6083217,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:07.734{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65085-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:10.240{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=242DCE78F12D2657B1DC23A0F0B708A0,SHA256=66FAB037AC7C350C29C6D11C611899FDBB9B3E03FD17BD4DE31741B63A4D0AE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:11.520{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27DDC559817EA55B49DE1D50A5E52631,SHA256=D50542336C2510C0024AC4BA6E8741B06B94C6D4A0E4B14A40823C6D4A947E5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:11.255{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9688A6E7727EE4AF5151ACDCB17C52C3,SHA256=E864CADB5CF7A24DD64D1E96C2F3A276B5488B78D14D0FC8B18459B915DD9A86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:12.551{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A98E2EB28B05B716D02D57137987A64,SHA256=BAC65D8A3407D61277004A0DB7F5CBBCDD17A6B5A5B983BE1908180DB6E982D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:12.880{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:09.740{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-65095-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:12.380{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC2D30ED62FB4B4CFD62B5B31950F836,SHA256=9C50E7BCD9FB3AC16737AAFEF86C1AE265E2344D250A063DDCA356290BF4D1E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:12.255{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D5B993FE1515BED7797A870CCB5698,SHA256=23B1DA481E7A5203608987FBE4C8CB6EC93AFF63B901144BCC87FE57AF673800,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:12.235{5EBD8912-7F30-614D-0D00-00000000FC01}8884380C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-0E00-00000000FC01}984C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001041060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:13.582{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CC8624DF78BD5411F8EC0ECD06697B2,SHA256=B0354A952817B4962C33F1F58596FFD736A1823D3D38AE16472C9C3F80D5A06C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:13.255{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6F59416C45D197AA484DE5665066E64,SHA256=C22BC832AE77B3E99C1B3D7F02A14E7339EBE7306B7499A6B2B00AB37A8873E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:14.632{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4135D06FC58578A73A99D5999C319C0,SHA256=CC5BDCC96475268935D7B4C88A9AF59B947666B244D7918F2B3FE7926F566648,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:11.512{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58946-false10.0.1.12-8089- 354300x8000000000000000970778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:10.746{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58945-false10.0.1.12-8000- 23542300x8000000000000000970777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:14.271{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8FAD5AE53FAE2974E86D8C405DC49C9,SHA256=8C9FBD3B11D41BD05F4845648D38E11FE30C68820F5EE48979029B29D897ED41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:14.401{5EBD8912-7F30-614D-0D00-00000000FC01}8884380C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001041061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:11.913{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65192-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001041064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:15.647{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15E0EAECEC43F08F9FA00F29CC10EF52,SHA256=7A74F8BFA960A5D72A76554AEE058A51BA33CA9BD3739B802A8401E6E1DE5B0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:15.287{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF8A3F76B167AA1EBCF4ECB3F90CCF8C,SHA256=B925CC4B9D797FE03A6A238BEAA6B2785CB318B06A9661DE21CE63D85814DF19,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:16.815{5EBD8912-7F30-614D-0D00-00000000FC01}8884380C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001041065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:16.679{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2956F8D7899494E8C060A6D3EEFF94FD,SHA256=C0C31423C0DEC55E7FE590C64B4F222D184F79EC6EB6C40C3E4EC121A5439E70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:12.804{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com17968-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:16.287{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0AB58E750A3DAC54E412AD11C4DF25,SHA256=A7BC836EC34263BE8D4F4BBCF80DD033B4C9EE241AA62FD204C7B36A96E84727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:16.146{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C224AA8B4138860A2F74D32C8395796,SHA256=A6076B251FFCB3E365CD434367A454ABAAF5EDF5FE4B5FA51417EBBC4123B094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:17.302{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CDF932E72F2EB30023596EDC02909C7,SHA256=0634F55C8447FC4429F2AA50A5C4332B8D5FFBA4E50C17A3B958A009A41F6C3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:17.715{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4DAEBE8841DA33B8553E69C3B94BDAE,SHA256=1C185AF514ED6DF6F99D1805DBD74F684C02FCE977AE3A558125673C39CDD335,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:15.670{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65193-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001041070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:15.670{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65193-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001041069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:15.187{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com20814-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:17.014{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E924B7AA10442AF876C6DBDE8F3665D,SHA256=3E489ADAB654F1F9C60634F6A08B335419CB37B42FCED37D5760AED740B22251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:17.014{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B822C8CBDB62744CE733C36781C8B53,SHA256=8D640974E39BD4978C4C8D497561091BC62C965F7ECE755DE0FCD15BCAF7B847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:18.779{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D66525CC9AE23CFF9F46D296DD0807D2,SHA256=DDFE6DB89B3133730ED61F911DEFCA28B2F70864FFFB7C70F26EB0D1CEA501FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:15.889{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58947-false10.0.1.12-8000- 354300x8000000000000000970787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:15.755{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53628-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:18.787{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=909F88F0E0FADD35EAD1C4D52A8B83E9,SHA256=E9772441885030A0BF896F002156DCD37969DD214172E49C3C87BCD84465EA2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:18.318{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F06DE837324F2C78383AFCADD5814E1,SHA256=45A6A4AA9C9B76F92E780FD5BAB2C1C54B79939056829A180EE94B22C49A7913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:18.546{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E924B7AA10442AF876C6DBDE8F3665D,SHA256=3E489ADAB654F1F9C60634F6A08B335419CB37B42FCED37D5760AED740B22251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:19.844{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76E237DEEA4EE50A0954739737893DAA,SHA256=5318D615ED6FCAE905EFC7BD114DB284C65CB2BDDD366CCD2C2EB64F79313FBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:19.333{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5129D533F4848CCAAFF18C990D9D5B86,SHA256=FA722C2D5842E33AE25C6E96E91C222241BE70B1DC6CC3428380F93E287C29CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:16.910{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53744-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:20.860{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689A4267BDB1AC149AE7CF82170AD6FA,SHA256=01842B22F7B11F4AB0E3914B6A4358D1FCEECFE3D0A44D212834A2581FF15362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:20.334{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89373D530C75BA20C9C4AFAEA9E36C0D,SHA256=73C00CB33759C96CDC923F8D94D0EE24E86134E3A4507E2959D63977F6145589,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:17.806{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65194-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001041081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:21.878{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B223DAB7614FCC75D30C3843F9F57D27,SHA256=7E3B43CC9EC893F600A839E10CA9BFEFCAFA03624C70BE24F52632D21E09DA0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:21.349{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D1D3B28D4CB681C519776A1E007473D,SHA256=4C2EEC053B4B4CF2D50424D228273CDD38BACE844298946F804390AAE075B03D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:19.563{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57158-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:21.178{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39FEBC07993A6D745A18C896401FD1F7,SHA256=D52383412776CAD13D281BDA1943DD3781397D414E3862B64BBBB500170D21A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:22.942{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F24868B6C4A1B6D183A1D8D77B703A39,SHA256=9917BC16384A6BB7DF733E8FA1F0FDF608A6EED1127117EF253023B75A6EBF2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:22.364{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A293DDEAAF32010F9F9479B386C6E41,SHA256=89DFE9FFA2F5265C612B933923C0456B20EF6BE5C7E670D71A887419D3DB67D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:22.911{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7000099ADB681C4EBFCEACB44C567725,SHA256=DF57DC7DD35257E69DD122CFB881CD57D7E60590D13A6752DD97356BB49E714A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:22.312{5EBD8912-7F30-614D-0D00-00000000FC01}8884380C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1100-00000000FC01}404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001041086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:23.957{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A10988B75594D14DAC518C1FC163A75D,SHA256=AAD2BE13C19599B8B86D3101FF29ADDB46792A611DFA61CB633B22947FFC0881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:23.379{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7FB85C3AA70774D18C41E9A59820E2B,SHA256=715D69B3436C5C25467C4FEEC7E69EC000315ECA58E6E667E981DE8195FD557F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:21.298{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58523-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:24.985{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=BB9BB51CB484CC5719D210D53CF37762,SHA256=1903A36C25AEB3C61953484ED931ED52AB4A3BD13FCC38046154A6681472D499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:24.985{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=914534BA8A40B6B03D6D9B771F2B19BD,SHA256=35A2915F1843458284C8FC7CA759EA2429663896ED02845849FA9A318F53EC0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:24.985{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=AE7986A0220B25D6A8A8D964DFAB18A9,SHA256=204DECEAD5EF0D73D35420F74EF89BB5E7080007726E198A26D8553BA5B257D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:24.985{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:24.985{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:24.985{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=4E114A12FE1D8664A2957286D9C690B5,SHA256=6A1E487E1A25DA4010DCE4BC9DD610DEF85DA683FAC9D704DD2A50664E5A60BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:24.985{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=775AAB007F2E4FF49FC45DB938962B25,SHA256=D3DA5191342AAD67DAE5D80DF6ADE9D325A8A9D1131BADFC19152B6468A62E3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:24.970{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=B8D3E460074486486FA8ED82009D6A13,SHA256=F2A7F2C6C7BEA04661E53B299E8DAB05F961F8C33C29F2CF36A443CF32143A95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:24.970{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:24.968{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C71DA9289EC76ED446EB2E7B5698FA,SHA256=0D5D1E98FC98B48FA5AF124CAB1732BAD8CF552C9484BD201014E76230640432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:24.379{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1720F78A8E4C2F9D97C599223176F8C7,SHA256=A173A2683331E50E9045DEE51BEDA37EFD7DB230600E69845A9300769BB86ADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:24.901{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=D3A22D07726382DBCE0B9DE7C6B97D8D,SHA256=08851A2D0EB9918CF1B3C99E36DA4AF491CE7CD8CDEA0658DD54BDF7A0F7F30B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:24.885{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:24.885{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=463FFB69283CE6433D4F8CEBD0A75210,SHA256=B820576CEFA414D8480D8FCD03DEAF77A5FA490F7C98DFCB0027005DB4CCBB6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:24.885{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:24.870{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=BC2CCAB2D4C00C6154BB6A73FED9806B,SHA256=B72058BD354EEDBC3F6A88E707C3C6165F84FA524A26BA5F5A2BC75A64FB974D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:24.822{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:22.902{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65195-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000970795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:25.395{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=352D6E5A46597942AA5D9A004FC82974,SHA256=7E76570286C7319E5EEFBC27F107088D29F78568C66928A24606FACBFC51823A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.700{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EFC02A5A6C8C3A3631382692CA97940,SHA256=3F3F428B4FF3F772397FD138EDAFCE8125D87A6E9766AE5B1B9F6A508A54B7AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.647{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:23.427{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65196-false142.250.185.170fra16s51-in-f10.1e100.net443https 354300x80000000000000001041144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:23.425{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59347- 354300x80000000000000001041143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:23.423{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57082- 23542300x80000000000000001041142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.132{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=B50CF628E0082A7840D84D0CBE1CAD48,SHA256=544DF79BCEF9DC8E082021E342C2A1B12CD0B8BDAF3687E0F23785406EDF33AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.116{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=F130C472E963FF3CEED251C65964B927,SHA256=E5D2A5BBE8AA43751EF7F7BC3A817A0963D56272A4C9B6055E60929606186CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.116{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=5F93E0F827909390D257EBB27C77F392,SHA256=5BCB684F3EE3B2EC2F4945655FBEF281C487399D6BF90451647DB1761715D4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.116{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=9275B832091D9E3BFE50898A3BE022B5,SHA256=38C52A5435B625083000A054489B95E033F7B352377510DF668CEE749DE5803E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.116{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=8AC8A05028631170937EDA4CF0E0A35A,SHA256=456AB2C0E4E117D62DC529362EB22C725D410098868442729ADE5E4FF0822E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.116{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=7BBA9B83F0F213C5A723209D4C9962CE,SHA256=E1B8E7DEB0F34EEB6BF4D10E47E734A1FE829C365DF360B98646D7E11F2DD4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.116{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=16BF2AA546411BA25DC80EA288D47143,SHA256=524EC56C023155C7BE4C84D5AEC4FE2D85DFBAB3C2FA27F82BCD35028D546F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.116{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=69EE5B232870704AFCC0E8957AA42A0F,SHA256=EC8DF5279022B68C0B542EC1688889374754106DFADBF7CAF8337E3F98865941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.116{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=C143402B1C4118ED7B00874BB55D3156,SHA256=681A0704C2C3DBDFB684A05706A01805E4A396ACFDA7D8D591E54237E4DEE64A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.116{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=489DDF1C6CFFF3875F1BECD21EE3A913,SHA256=10226DBCFA9F6058B8A2FF0536E4A23EAF40F4CC71CC6168647D97C1D538D4AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.101{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.101{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.101{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=7F960BFC89F6D65EDF08BD6BFDCD8F42,SHA256=9EC921E340BDC9FECB488555A03AE4E45E3C26AD2093F276CB9ADD88C858A8D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.101{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=D3A22D07726382DBCE0B9DE7C6B97D8D,SHA256=08851A2D0EB9918CF1B3C99E36DA4AF491CE7CD8CDEA0658DD54BDF7A0F7F30B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.101{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=EF6BE82E37320E4A92D4F813DFB8812D,SHA256=21D90FC15E5A8B58178E5710653EF19507974C6A4D1FDA659ABD6ABD8F2E51CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.048{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=BC2CCAB2D4C00C6154BB6A73FED9806B,SHA256=B72058BD354EEDBC3F6A88E707C3C6165F84FA524A26BA5F5A2BC75A64FB974D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.048{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=F2D9C09699BBA80015D2030D9F9FE592,SHA256=AFE24D27BB16ACB5ECCD5995E740E1ABF62A08F95C60B5E91AE262BCC7176322,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.032{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=463FFB69283CE6433D4F8CEBD0A75210,SHA256=B820576CEFA414D8480D8FCD03DEAF77A5FA490F7C98DFCB0027005DB4CCBB6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.032{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=EA86E0097B81FDBDEE3F12AC90CA6410,SHA256=6A242B62530E38DDCFD272643F6CC44EDC0208C69DC3022D6CC273F4C7E79AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.032{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=5ACD66DB29AFABE23566110E44DBD5E7,SHA256=AD73B565DED09760945E8AC426CD4D16C8DEB3C202E8ABAD356EABF62137D2D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.032{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=7A5667403427EB376D59C8E5E3A661F7,SHA256=25F5C8E46C6D39C60DDB7E869EBC09E07EB3F130E5D3FE84096FE1D1DD99789A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.032{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=B8D3E460074486486FA8ED82009D6A13,SHA256=F2A7F2C6C7BEA04661E53B299E8DAB05F961F8C33C29F2CF36A443CF32143A95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.032{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.017{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=FEC9BC354A7EE92C6FEEFE63E6B0FA26,SHA256=258EF8E6994A09FFB54BD0D5AFEC97C13C31F2EEFB7FE90A2A4C487C87817519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.017{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.017{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.017{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.017{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.001{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.001{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.001{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=07FF16BA9846838DA27AE094A1B91369,SHA256=DC83AE90504AC11C29876CFC48483976397E899958EE8EDE7F381971A2C2C4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.001{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=1B9A162CEB3C7BE8393CE348F35A4564,SHA256=2D6B6351BD1B8C2047DA1854D0033EE6C5CD9F1BFE38C5E1A2B82C86AFE8A598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.001{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.001{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.001{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.001{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.001{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=BF6C363FCFE18836F5B693AC897B03D0,SHA256=3436668289A12D65E3C22BC60B8E2EA8D2D6CF15DF1402FCB3C16DD875D438E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:25.001{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=D5F2E2EC2D972EA4E3BD5E52478574EC,SHA256=5A9F549160D35C4F4CCD6CC4EF4B63FF1A8859F8374AEA866A10F61DC2559E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:24.985{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=82E921320B62879B070EBE9D8F1F4256,SHA256=A781BFF04964067CB06EA80DA605A4A2837F7256580693C6DBDCA971D8C9BDB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:26.895{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-824E-6151-C378-00000000FD01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:26.895{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:26.895{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:26.895{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:26.895{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:26.895{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:26.895{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:26.895{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:26.895{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:26.895{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:26.895{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-824E-6151-C378-00000000FD01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000970813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:26.895{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-824E-6151-C378-00000000FD01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000970812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:26.880{69CF5F33-824E-6151-C378-00000000FD01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000970811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:26.426{69CF5F33-824E-6151-C278-00000000FD01}40643536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000970810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:26.410{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45182437E993FE6B08A265DF3BC89BB7,SHA256=A3BDBD7C40B3051E35B33E37CC60E3FFF7EA89E3822061D6F8185356B97D4555,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:24.073{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58056-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:26.016{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C76486E771CED45ED9FCF41106C3EEE,SHA256=C9D09F904C991ADD20E9D71A4787B2B1FC015870E7CEFD6297CB3BF6ABC5A005,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:26.207{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-824E-6151-C278-00000000FD01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:26.207{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:26.207{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:26.207{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:26.207{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:26.207{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:26.207{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:26.207{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:26.207{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:26.207{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:26.207{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-824E-6151-C278-00000000FD01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000970798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:26.207{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-824E-6151-C278-00000000FD01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000970797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:26.193{69CF5F33-824E-6151-C278-00000000FD01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000970796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:21.823{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58948-false10.0.1.12-8000- 23542300x80000000000000001041150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:27.030{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2345270F8A03069BAB516276846BD8,SHA256=A447A768EF9EF0B7A241093C194CEE9FF9E115061A1111A3AF7F2ABFDBD22254,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:24.479{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59034-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000970841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:27.567{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-824F-6151-C478-00000000FD01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:27.567{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:27.567{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:27.567{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:27.567{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:27.567{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:27.567{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:27.567{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:27.567{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:27.567{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:27.567{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-824F-6151-C478-00000000FD01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000970830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:27.567{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-824F-6151-C478-00000000FD01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000970829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:27.553{69CF5F33-824F-6151-C478-00000000FD01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000970828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:27.426{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD43685614C2BE134D79769C664EBFC7,SHA256=3628860393C3AEA2A703303B2E861D97C1A00BCAF3E75860E55C18B8AD0672D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:27.426{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51DB8407E2BD774F3AE032918D75A4DD,SHA256=DD7E0B9E869BC7CA7756BFD43EFF38D30C291FB2C824F6F409A408715EBC3D4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:27.410{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0227283EB0D38B5BF8FCFC4FD9B9933A,SHA256=4B6B3CC3AFBCE172A8FE1B482EE94E80C44891AC3C4369D3F7AB9FA7955CB9D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:27.145{69CF5F33-824E-6151-C378-00000000FD01}32361108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000970872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:25.923{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62660-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000970871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:28.879{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8250-6151-C678-00000000FD01}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:28.879{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:28.879{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:28.879{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:28.879{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8250-6151-C678-00000000FD01}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000970866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:28.879{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:28.879{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:28.879{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:28.879{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:28.879{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:28.879{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8250-6151-C678-00000000FD01}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:28.879{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000970859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:28.864{69CF5F33-8250-6151-C678-00000000FD01}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000970858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:28.692{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD43685614C2BE134D79769C664EBFC7,SHA256=3628860393C3AEA2A703303B2E861D97C1A00BCAF3E75860E55C18B8AD0672D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:28.692{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE82FF7312036BC259BADFC9882E4BD,SHA256=CF982FE21EE15E6648582118C2D3AC824AA54A3ED113A5B2A3461130B885C16D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:28.426{69CF5F33-8250-6151-C578-00000000FD01}24923232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001041151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:28.262{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9022101FBB2FB93C64212F6568B36DF1,SHA256=2E53D7A214982434B6A8790C0D95B9CD1887BADD59153AA480AE03CCA06E5792,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:28.254{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8250-6151-C578-00000000FD01}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:28.254{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:28.254{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:28.254{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:28.254{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:28.254{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:28.254{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:28.254{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:28.254{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8250-6151-C578-00000000FD01}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000970846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:28.254{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:28.254{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:28.254{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8250-6151-C578-00000000FD01}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000970843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:28.239{69CF5F33-8250-6151-C578-00000000FD01}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000970888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:29.895{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C771FF7054341797EFCE38E29F1EDA11,SHA256=985F3092281AC502AB46D46DDDFE189DCECB0A38EEF144697A2D3A79592C4ECC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:29.723{69CF5F33-8251-6151-C778-00000000FD01}13282836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:29.567{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8251-6151-C778-00000000FD01}1328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:29.567{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:29.567{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:29.567{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:29.567{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:29.567{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:29.567{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:29.567{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:29.567{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:29.567{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:29.567{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8251-6151-C778-00000000FD01}1328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000970875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:29.567{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8251-6151-C778-00000000FD01}1328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000970874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:29.552{69CF5F33-8251-6151-C778-00000000FD01}1328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000970873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:29.426{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FDFDD8FA14C28ABAA512B7B895F87ED,SHA256=1B39B946AF498097ECB9593295D69B51B0416ED70FBFE50B60146C3837AFBB93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:29.282{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47292982C1DE64E8D49B256414C8BE54,SHA256=98EEE376669F50680141EC9F66BCFEA83888BC7D6BD196DD1BCD0CD279E94199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:30.442{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8F86561ACCC8171C6E44968AF1F0DF5,SHA256=20A2BCF4674E3F95B31B0A467191C9935A2158E8C38B5867BACEC6A6332494F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:30.863{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18451121C282DAC777B58207F7E06542,SHA256=A7F252D7AE2198E1323B78E9B723DEF28560BDBA0C5AEC936476EBBFF94AE40B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:30.862{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=598DFAD44CEEE206688089322F3F8E41,SHA256=B063FAECDC1E4D3923DEAB23E2E92E8027078044D1CE1B47EF729FF503AA0E23,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:28.773{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65197-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001041154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:28.280{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60717-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:30.412{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDEEA2D35EF8670031D0BE7A3061AA1B,SHA256=81EB323FA220B1269208D08FBB734D5881EF4A67561F24302BA938CA5A1572B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:31.457{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF97C9B5291C550B43F756505C853F7,SHA256=6B8CAE49318E841DAC35B7D6F2B4DBCD7C2D492719D09347CC9A27463D9BC477,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:29.895{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.116.142.22-142-116-103.speedking.in50948-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001041162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:29.641{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.116.142.22-142-116-103.speedking.in50849-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:31.413{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=277A79C2F82C3BC3664D713CBD14D744,SHA256=860EB0B130B01F5101940A09179B0729CBCB3044DDDB25774AF0BBA903DB8979,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:27.776{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58949-false10.0.1.12-8000- 354300x8000000000000000970890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:27.698{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63960-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001041160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:31.128{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:31.128{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:31.128{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000970894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:32.473{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=055593800DEB15407111CBE88881E2F8,SHA256=E77B7A813A4F7AF37BBD62A08D06DC55E0A7637AC11C8EBE5A6CA2DDBCF2B651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:32.480{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=65B5E3D563621AF23B28319BA2FE62DB,SHA256=8A97FF63702E525D971554C3EE1CE56B127F81316EECB424802A6FB9418CE5CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:32.480{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:32.461{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFA9D67A55F798620C25EF21EA46B264,SHA256=4E9E770E10602051ADD59C029CEE0F991330BCAF831A156284233CBE2E91D4D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:32.254{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=53394410BE18FA5F4704D3E99EEB813A,SHA256=49B64E372CB529C76819505B87C3ECC6EA5BAC14483F001E0160C79175E8B2D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:33.480{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACA0FD59340090F592E67842686F4560,SHA256=3F6A3DE3FEE701186E13A2AEE1FA431239CBA3D465AB23F28140F7144F3E07CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:33.489{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B698382293E3B24F87765617273DA61,SHA256=B831B9DEB58AE3C8138DA00CCE9FF7EC9AD9FC2A9A14EDFB63BCADB53AEAC57B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:34.510{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FBF37A563416F1055ADC68D3D28840C,SHA256=1CE43080941DD9490E55FE465DBF87DD00FEEE4169EFA93FB076EF1C384C3314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:34.504{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8A4A86C2EEB304331FF90D9C548F6EE,SHA256=D732E2973102A45AC76DAFC418B58A3FCE5FB54A076A94E94B605D1FCA3C6CEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:31.506{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63443-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:34.332{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BA1EE7978DB849835F60D362F889657,SHA256=DCD5B7758F36AEC5953BDFFB783B40EC7C548037FCC7DDEE4360DA71523B8CD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:35.777{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:35.540{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70272377F48437E5F7008CEB7140DB1E,SHA256=9CE710CDB502E53A0F75862479B6F283F7BA1E63668D559CE3EE1DFB1EB0B505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:35.520{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42278C803E250FF5C984C513391CDBA8,SHA256=EC91D5366A029095A0A6E646528B5AB3CA56B98CBF7BE4DDF2B7AD21E0B979F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:36.692{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4F5444FE27A7B0C96E4F3AB37D617EF,SHA256=3B20AA0E8AB15097C92A2ACA16F89E961FF52A04F9B06BE55B74A4CE3F16A527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:36.521{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=051804A2AB73CBA7F25C172F620B9FFE,SHA256=981610AC2495B4C1F007DFD6257232BF3E820278FB9D127A42B4BADB6357C906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:36.609{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=439752B7DC0D3B80DE38FC7435C3100E,SHA256=499AFD753D9C9693E37C00CB55D1F15562D56121A511B8879B3BAB994615695C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:34.785{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65198-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000970900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:32.839{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58950-false10.0.1.12-8000- 23542300x80000000000000001041177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:37.660{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE04D4EEF9F9E42A7E84D502DBCD04F2,SHA256=62F86F52BA461CC03356BD1FDA4B1CD775888E249DACC34A1973DE94AEB35630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:37.659{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18451121C282DAC777B58207F7E06542,SHA256=A7F252D7AE2198E1323B78E9B723DEF28560BDBA0C5AEC936476EBBFF94AE40B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:37.639{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32568EC37F134DA2286CBF4F9C8F3CBA,SHA256=4433123DFEFDFB633C5805A9614B9E37DF9F90D6F88F9AFB5FC31F397AEF6C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:37.536{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=730194059638FFC7A81439651CAAC0A4,SHA256=C875BAC27D11AA72DEE3455DE7A1C33A581896069C8B16A4A4174AE5E5E008E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:34.213{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de60361-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001041174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:35.447{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65199-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001041173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:37.110{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4272MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:38.975{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8A7AE10A4D8A1BD05F5F8EFA15271AF6,SHA256=FC669417714BCF34B16998455B6B6C9B1CE1A8FF938B11BC88315A73CB12078B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:38.691{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF61F58EE092B73F4CFC9C301819172A,SHA256=D8AC7D1A19079FBFDBF145EA93DFD88BC1CC92BC44E8F8D8F9C1D3905F1768A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:38.551{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEDB3D02D82A81E4BF5C7E0E655309FC,SHA256=3590EBB5569CF8C104DBE1F82016894296AA9606B1242EED947E49C092E78FE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:38.124{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4273MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000970917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:38.442{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-825A-6151-C878-00000000FD01}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:38.442{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-825A-6151-C878-00000000FD01}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000970915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:38.442{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:38.442{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-825A-6151-C878-00000000FD01}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:38.442{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:38.442{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:38.442{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:38.442{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:38.442{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:38.442{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:38.442{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:38.442{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000970905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:38.412{69CF5F33-825A-6151-C878-00000000FD01}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001041181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:39.706{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F3AC8E953D4217D17F351763D981CE,SHA256=366844E117A61D6675F0C499F3AF3515058C07AFDE1600AF340B61D9F6706987,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:39.567{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B546B9B52AA4F261E1A0DD8E36C408B,SHA256=6984FC39FBB8A0B6BC815412EF23646489E54555C92E89CDA5ED86477A4558B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:39.567{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FD8C1A897535AC817C049E467C8FF69,SHA256=AA0289419378982DF3E8A42FE85DAF68F3DBEC07832541E91EDC70BDA66B58C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:40.721{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC35063FB9EB444B0111FFA4C354EB8E,SHA256=B74A590EA3CA4229C10F731B6236B48875E8D8C11738DEECE7A1DDCA2017D73A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:40.582{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5695D9E0346802E7426F9AAA1FB725,SHA256=A89940D319AF961808AA3946BEEB83068F46384DA760B49422BB7EF1F91E11B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:40.689{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:40.674{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:40.674{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B40-6151-3F78-00000000FC01}6828C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c869|C:\Program Files\Mozilla Firefox\xul.dll+e4dd0f|C:\Program Files\Mozilla Firefox\xul.dll+116feb6|C:\Program Files\Mozilla Firefox\xul.dll+e4959d|C:\Program Files\Mozilla Firefox\xul.dll+e31230|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f3b4d|C:\Program Files\Mozilla Firefox\xul.dll+177e8a9|C:\Program Files\Mozilla Firefox\xul.dll+1bb4c30|C:\Program Files\Mozilla Firefox\xul.dll+16c2490|C:\Program Files\Mozilla Firefox\xul.dll+1b5b9aa|C:\Program Files\Mozilla Firefox\xul.dll+177ed4a|C:\Program Files\Mozilla Firefox\xul.dll+1bb4c30|C:\Program Files\Mozilla Firefox\xul.dll+16c2490|C:\Program Files\Mozilla Firefox\xul.dll+1b5b9aa|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+1867fbf|C:\Program Files\Mozilla Firefox\xul.dll+1a7ca90|C:\Program Files\Mozilla Firefox\xul.dll+1a779c5 10341000x80000000000000001041184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:40.674{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:40.674{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:40.674{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:41.903{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 10341000x80000000000000001041197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:41.810{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B40-6151-3F78-00000000FC01}6828C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c727|C:\Program Files\Mozilla Firefox\xul.dll+8b9000|C:\Program Files\Mozilla Firefox\xul.dll+8ad3ed|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001041196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:41.779{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C68ED4F03B50356B8110F0C53BD583F7,SHA256=C069478E85B629E20FEE6EC7B0EE30E9079B6FE5DB8BA72987EFE50F37880C1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:41.938{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E21181A050D43F9A74D6930B2C237BC3,SHA256=2E360491240191F8E5613A23787A45D21B18F5145974420ED83BB0483B535347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:41.594{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF8B262678C983E95CC2A9A4DDD1831C,SHA256=BC6292C995FC410FD794BFB6073F0C8EF26248592FFB22D0643908B2D26E3FE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:39.897{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65200-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001041194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:41.561{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:41.559{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:41.559{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:41.558{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:41.558{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:41.541{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3E-6151-3C78-00000000FC01}6364C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c869|C:\Program Files\Mozilla Firefox\xul.dll+e4dd0f|C:\Program Files\Mozilla Firefox\xul.dll+116feb6|C:\Program Files\Mozilla Firefox\xul.dll+e4959d|C:\Program Files\Mozilla Firefox\xul.dll+e31230|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f3b4d|C:\Program Files\Mozilla Firefox\xul.dll+177e8a9|C:\Program Files\Mozilla Firefox\xul.dll+1bb4c30|C:\Program Files\Mozilla Firefox\xul.dll+16c2490|C:\Program Files\Mozilla Firefox\xul.dll+1b5b9aa|C:\Program Files\Mozilla Firefox\xul.dll+177ed4a|C:\Program Files\Mozilla Firefox\xul.dll+1bb4c30|C:\Program Files\Mozilla Firefox\xul.dll+16c2490|C:\Program Files\Mozilla Firefox\xul.dll+1b5b9aa|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+1867fbf|C:\Program Files\Mozilla Firefox\xul.dll+1a7ca90|C:\Program Files\Mozilla Firefox\xul.dll+1a78989 354300x8000000000000000970922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:38.285{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51229-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001041206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:42.978{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3E-6151-3C78-00000000FC01}6364C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c727|C:\Program Files\Mozilla Firefox\xul.dll+8b9000|C:\Program Files\Mozilla Firefox\xul.dll+8ad3ed|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001041205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:42.792{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C719C8F248ABE71420D97EEF5FC3E4,SHA256=CA3575338099BBCC3EB959A09F6075A770E2CFB2702FB733A338D1ECFD5BC476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:42.594{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5710A3D7CAE94B0252E5B8A4FC8D86A5,SHA256=6BE03108EBC52F214CA0A9BCB5C623E5CEA504197066DE4EDE1B8F5AB4D2D509,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:42.620{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:42.620{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:42.620{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:42.620{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:42.620{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:42.620{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B40-6151-3F78-00000000FC01}6828C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c869|C:\Program Files\Mozilla Firefox\xul.dll+e4dd0f|C:\Program Files\Mozilla Firefox\xul.dll+116feb6|C:\Program Files\Mozilla Firefox\xul.dll+e4959d|C:\Program Files\Mozilla Firefox\xul.dll+e31230|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f3b4d|C:\Program Files\Mozilla Firefox\xul.dll+177e8a9|C:\Program Files\Mozilla Firefox\xul.dll+1bb4c30|C:\Program Files\Mozilla Firefox\xul.dll+16c2490|C:\Program Files\Mozilla Firefox\xul.dll+1b5b9aa|C:\Program Files\Mozilla Firefox\xul.dll+177ed4a|C:\Program Files\Mozilla Firefox\xul.dll+1bb4c30|C:\Program Files\Mozilla Firefox\xul.dll+16c2490|C:\Program Files\Mozilla Firefox\xul.dll+1b5b9aa|C:\Program Files\Mozilla Firefox\xul.dll+1b66eb1|C:\Program Files\Mozilla Firefox\xul.dll+1d25fa7|UNKNOWN(0000026DBAAE3E5F) 354300x8000000000000000970925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:38.823{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58951-false10.0.1.12-8000- 22542200x80000000000000001041213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:41.827{5EBD8912-7B3A-6151-3A78-00000000FC01}7120www.google.com0142.250.185.164;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001041212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:41.826{5EBD8912-7B3A-6151-3A78-00000000FC01}7120www.google.com0::ffff:142.250.185.164;C:\Program Files\Mozilla Firefox\firefox.exe 13241300x80000000000000001041211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:35:43.864{5EBD8912-7F30-614D-1100-00000000FC01}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b37a-0xa94f48c0) 23542300x80000000000000001041210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:43.794{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D2F77D59FDFEDE76A324AE89279FC7,SHA256=642F3F291D3A2637A0B2FC677F7DCB1C762C9A39DF04002B38FF3794C85B33E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:43.609{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=751EF68A6E63112C4505343B46BF8805,SHA256=483E5B3E11FC3A65EB5CBBC95A308F60EC7C59222C308D3F7910CA98C4586C88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:43.459{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:43.458{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:43.458{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3E-6151-3C78-00000000FC01}6364C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c869|C:\Program Files\Mozilla Firefox\xul.dll+e4dd0f|C:\Program Files\Mozilla Firefox\xul.dll+116feb6|C:\Program Files\Mozilla Firefox\xul.dll+e4959d|C:\Program Files\Mozilla Firefox\xul.dll+e31230|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f3b4d|C:\Program Files\Mozilla Firefox\xul.dll+177e8a9|C:\Program Files\Mozilla Firefox\xul.dll+1bb4c30|C:\Program Files\Mozilla Firefox\xul.dll+16c2490|C:\Program Files\Mozilla Firefox\xul.dll+1b5b9aa|C:\Program Files\Mozilla Firefox\xul.dll+177ed4a|C:\Program Files\Mozilla Firefox\xul.dll+1bb4c30|C:\Program Files\Mozilla Firefox\xul.dll+16c2490|C:\Program Files\Mozilla Firefox\xul.dll+1d25067|UNKNOWN(0000026DBAAE7C24) 23542300x8000000000000000970928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:44.625{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21F941C12C5BDF1AA341259D4075ECC7,SHA256=9B4E070472841D049B78CD7519857241B8476AD81FE134FAB51C9FEFDA1BA204,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001041220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:41.828{5EBD8912-7B3A-6151-3A78-00000000FC01}7120www.google.com02a00:1450:4001:813::2004;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001041219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:44.810{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC8132C916B4D86B38E0120C1705F60B,SHA256=1A4585976601C2C1639CD48ADFCE9E50001C65117793D96B41145922788200E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:44.325{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B83455ACAD6CB17AFA4A758AF207833,SHA256=4095D243004BB8C21A89D98141CD3C009A00F78197109363B9426D9DCA767AFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:44.325{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE04D4EEF9F9E42A7E84D502DBCD04F2,SHA256=62F86F52BA461CC03356BD1FDA4B1CD775888E249DACC34A1973DE94AEB35630,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:41.519{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-429.attackrange.local64462-false142.250.185.164fra16s51-in-f4.1e100.net443https 354300x80000000000000001041215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:41.518{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57427- 354300x80000000000000001041214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:41.517{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51553- 354300x80000000000000001041242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:43.543{5EBD8912-7F30-614D-1100-00000000FC01}404C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-429.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x80000000000000001041241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:43.486{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64967- 354300x80000000000000001041240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:42.722{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59851-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:45.811{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B0DC05C50559867972AA1C98378E14,SHA256=4CC9B4DD274783AD4809E67015203BE97EA13D97560122C097F702C1F25CC331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:45.641{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=083E00EACE50E78FF12D7668E69F6E7F,SHA256=D5C537C6A9A615D7D0ABFC9B30376BEE82571081C0094FC0B0AD4E4AFCBCD26A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:45.683{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8261-6151-1F79-00000000FC01}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:45.683{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:45.683{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:45.683{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:45.683{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:45.683{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8261-6151-1F79-00000000FC01}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001041232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:45.683{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8261-6151-1F79-00000000FC01}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001041231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:45.668{5EBD8912-8261-6151-1F79-00000000FC01}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001041230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:45.467{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3E-6151-3C78-00000000FC01}6364C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c727|C:\Program Files\Mozilla Firefox\xul.dll+8b9000|C:\Program Files\Mozilla Firefox\xul.dll+8ad3ed|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001041229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:41.706{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52747-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001041228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:45.010{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8260-6151-1E79-00000000FC01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:45.010{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:45.010{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:45.010{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:45.010{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:45.010{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8260-6151-1E79-00000000FC01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001041222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:45.010{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8260-6151-1E79-00000000FC01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001041221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:44.984{5EBD8912-8260-6151-1E79-00000000FC01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001041256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:46.856{5EBD8912-7F30-614D-0D00-00000000FC01}8884380C:\Windows\system32\svchost.exe{5EBD8912-79BF-6151-DC77-00000000FC01}5112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001041255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:45.286{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54993-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001041254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:44.781{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse39.101.135.90-61755-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:46.814{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B8EE6AA97BAF8543DE854757C34BDC,SHA256=32D3D356FFF55CF76CCE2FAB63683E8443BF51DF033441169DD30EAF198FB129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:46.656{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2BD76658812194FEC7437A2A0581343,SHA256=B52674618B06EE5E5273111FEC027D039946546AEBF11CC1561CB6646B2508F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:46.528{5EBD8912-8262-6151-2079-00000000FC01}7083988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:46.362{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8262-6151-2079-00000000FC01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:46.359{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:46.359{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:46.359{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:46.358{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:46.358{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8262-6151-2079-00000000FC01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001041245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:46.358{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8262-6151-2079-00000000FC01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001041244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:46.342{5EBD8912-8262-6151-2079-00000000FC01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001041243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:45.999{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B83455ACAD6CB17AFA4A758AF207833,SHA256=4095D243004BB8C21A89D98141CD3C009A00F78197109363B9426D9DCA767AFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:47.656{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=513D65F1ED7447524773A77910553340,SHA256=E850517A849A62297405A500618347193289E7BADCE8D1D0A9A2633008597726,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:47.816{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E1B74A3796FEA008969921E5CC37C7E,SHA256=6B50CC7BC7D84F9AC2679F6A9A6E4CB2E3A7FE4899C5A3C47632D73F5DA94304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:47.115{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5EBD899838E27C458A0A9E97365326D,SHA256=F9F39267A26CB3521D553BCE94DC9237D111DDBAC4954450389C7EC6933840E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:44.865{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58952-false10.0.1.12-8000- 23542300x8000000000000000970933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:48.672{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12D58FB3796A065297C94AFD01A1CA45,SHA256=77317202D35624B45A5F6DA09A02A212D19B37FD9A7C70E22E9C85261AB492D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:45.855{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65201-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001041259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:48.817{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D6BFB0D08832A7C7858C98323B6EF4,SHA256=77E7A0713CED09DCB25F110F44ACA94AA9B153BB031F3D7092DA4AEFF8A1620C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:49.863{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1D215BB3805B678FC40CA4650BF7262,SHA256=CA23C16E5C49FB40A623CEDFB7CB63639CF4F51AEA4CFC798DCC01AC3BFC095D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:49.688{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1DC37CE49DCCB4C370F3D2E07C481D1,SHA256=6412FEDB44CD9173A70C4E9942CF275B86F72BCD6CCDC079F0C344642592440E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:50.906{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C9CB0951C9E588CF616660621E0201,SHA256=30DEFF06431654899E88073582002744E443E270909D56FE8BDB922A95C5C876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:51.860{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B4E1B7DC0B33102BE98B9218A6CA75D,SHA256=1C6A74B40F1739F4426FB19D4008573E4462F3DE578ADCA48C5BE774A381D040,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:51.860{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68A8B7C3E79670387F0424AF029B982F,SHA256=7323E1C7FC48A1E7710A5A034A4B21D19FE7768DAFEF2580F4ACED41DD14D53D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:49.117{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-65186-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001041262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:51.093{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24857D45F834815CBA28F6DD7F12416B,SHA256=C550A4920FE71257508DE2D9654D0E7B0B389FFD3FE7AC61FC3A9BFCBF8A4FE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:52.141{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B21DBFDFA266A02BF0AB17E6E3FC0B4E,SHA256=5837F0D0C61209ECFA52368F867A421A5C060150EC4CC9F415B329CCE8A8E3E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:52.937{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=1ACC100377F2D7F622DA98A588DEE4A5,SHA256=2453001E759323E0E910DBC7A827A070A2DAF7B31B43E5EB6F952467928A1530,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:52.937{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=AA078DDB959476C9167C9A5B80C6FD2E,SHA256=C887E380C37D4FA4AF2C77C83FA15F9BDF94ED8EA2CBE2A16F39E973B92054FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:52.937{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=D4162BDC4A4FB058AE59595D0D17CEB8,SHA256=641000C89C04A2E7603A5601E175106B022625F059729574CD1CC269D3BCBC8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:52.937{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=1EF0B9B114761974AD260C5F43EE6483,SHA256=937D641FCAE96F10A7CF76D32099513FCBFF8AFFC4D6636011EEF937159DF723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:52.937{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=B1045BCBBF25866D99E7B1CE2D35C678,SHA256=9C32BFCB26D6239B12F2F2E64444EA2B9ACEED8E27DA2A097178FD206A41F0AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:52.937{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=20A7385E0E4836A021A78EA0B5593B9B,SHA256=0CB16E05E8AD46EC9D53ED91A83E4173FA408BACC0D791CB7AA21E68EA7B5BBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:52.280{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90FA40DA906989DA2C8132E5D1AA52E2,SHA256=F13CA31FF058282B5A7854D5998E32780C244DA3B9A6945803613D185962829A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:52.280{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17401B5F103484F36C7BF89E5C07D0E3,SHA256=636C0DBA542EF5DEF9CD0B5A98B80BAD61EA0327B555E742A1F54B51DFD37399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:52.122{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCFDCA835F5FDFA71718B8A8D75B86CC,SHA256=35E4BBC1FC53A7AACB2A9EF6E381CDB01C8694810C6A31D75359A01594AC5015,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:53.375{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FFAAEE308D46BEDC68CB1BA9C613C9,SHA256=A59AD9F0114746C0D33A33AAB57BC779CA560EB4A88060BD154DB4D634B852F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:53.124{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56316539465DA7DF53DEF16DB1988B9F,SHA256=DFA6F716B131D5920F47F040E44A5B62315427C60491572D446698EAE3A71C16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:54.391{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6978ABD3D0A4DD90B2BCC5563FB246F,SHA256=98C8F3C1B4158C2E74EB1B80BE445CBCB086B1961D63FBB5E20ABC9BF3779EF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:54.846{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90FA40DA906989DA2C8132E5D1AA52E2,SHA256=F13CA31FF058282B5A7854D5998E32780C244DA3B9A6945803613D185962829A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:54.690{5EBD8912-826A-6151-2179-00000000FC01}64885028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:54.504{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:54.504{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:54.504{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3E-6151-3C78-00000000FC01}6364C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c869|C:\Program Files\Mozilla Firefox\xul.dll+e4dd0f|C:\Program Files\Mozilla Firefox\xul.dll+116feb6|C:\Program Files\Mozilla Firefox\xul.dll+e4959d|C:\Program Files\Mozilla Firefox\xul.dll+e31230|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f3b4d|C:\Program Files\Mozilla Firefox\xul.dll+177e8a9|C:\Program Files\Mozilla Firefox\xul.dll+1bb4c30|C:\Program Files\Mozilla Firefox\xul.dll+16c2490|C:\Program Files\Mozilla Firefox\xul.dll+1b5b9aa|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000026DBAAE1E84) 10341000x80000000000000001041282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:54.490{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-826A-6151-2179-00000000FC01}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:54.490{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:54.490{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:54.490{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:54.490{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:54.490{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-826A-6151-2179-00000000FC01}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001041276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:54.490{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-826A-6151-2179-00000000FC01}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001041275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:54.475{5EBD8912-826A-6151-2179-00000000FC01}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001041274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:54.126{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF64CBFDDB400A171F80CA1037282FC,SHA256=385D82DF386BCA192812ED7C10017D08C0B547104709793A1DB998726AFC76BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:51.856{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65202-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x8000000000000000970946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:35:55.906{69CF5F33-7F28-614D-1100-00000000FD01}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b37a-0xb07cd055) 23542300x8000000000000000970945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:55.531{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5683E01578B015317FEE0768C430182D,SHA256=741FA99BAF35D555AFDB81F44552A6196430A54702707972388E68FCCA6E1CCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:55.962{5EBD8912-826B-6151-2379-00000000FC01}54646780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:55.761{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-826B-6151-2379-00000000FC01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:55.761{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:55.761{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:55.761{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:55.761{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:55.761{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-826B-6151-2379-00000000FC01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001041299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:55.761{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-826B-6151-2379-00000000FC01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001041298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:55.748{5EBD8912-826B-6151-2379-00000000FC01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001041297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:55.281{5EBD8912-826B-6151-2279-00000000FC01}4548944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001041296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:55.147{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC82420CAB57A55777B08E5C9033C497,SHA256=9832C528ED2E41845D89C1EFC8763ABC2730344C83CA30116F62ED2949ECB8BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:55.516{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B4E1B7DC0B33102BE98B9218A6CA75D,SHA256=1C6A74B40F1739F4426FB19D4008573E4462F3DE578ADCA48C5BE774A381D040,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:52.204{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59978-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000970942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:50.694{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58953-false10.0.1.12-8000- 10341000x80000000000000001041295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:55.079{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-826B-6151-2279-00000000FC01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:55.077{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:55.077{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:55.077{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:55.077{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:55.077{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-826B-6151-2279-00000000FC01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001041289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:55.076{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-826B-6151-2279-00000000FC01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001041288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:55.062{5EBD8912-826B-6151-2279-00000000FC01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000970948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:56.766{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=459E40D5CAFFB75E43AF12A6E96457F6,SHA256=C91BE79D0A0FB610D7728B9B17F80E28041916360A747E3C41552561FD022747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.649{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\permissions.sqlite-journalMD5=8EC54B08868A0ED182B8A1156E4E1BB9,SHA256=96373993D45515F11E51BE96B0A60F5AD0A888A4DC8E9480664B22C245472D4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.507{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3E-6151-3C78-00000000FC01}6364C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c727|C:\Program Files\Mozilla Firefox\xul.dll+8b9000|C:\Program Files\Mozilla Firefox\xul.dll+8ad3ed|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.282{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-826C-6151-2479-00000000FC01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.280{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.280{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.280{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.279{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.279{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-826C-6151-2479-00000000FC01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001041311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.279{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-826C-6151-2479-00000000FC01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001041310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.264{5EBD8912-826C-6151-2479-00000000FC01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001041309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.162{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77DBF1D40880AF727A582A9B776085F9,SHA256=7B8E794067E496EFF7996E9D86A716747FEB0D3985C322AFB664D1352984B7E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:52.890{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60377-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001041308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:53.209{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59955-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.079{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=087483C0E8AEAFA9963C26C6BFB06C91,SHA256=81A624478F7B370B91F10DBEFC5A19E56AD77F53BCA0AD77248DEFAFE77EC4CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:57.813{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD0CCB4F9696E3A85609360CF48FC731,SHA256=CB7F9DDA8317CEDDC8BBC1D94E10383A68D52E76A54B5BF66680094309EB7123,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.777{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c04bf0|C:\Program Files\Mozilla Firefox\xul.dll+c0456d|C:\Program Files\Mozilla Firefox\xul.dll+bfd604|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+be47e3|C:\Program Files\Mozilla Firefox\xul.dll+1f02d5c 10341000x80000000000000001041351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.747{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000001041350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.035{5EBD8912-7B3A-6151-3A78-00000000FC01}7120d1j8pt39hxlh3d.cloudfront.net0::ffff:18.66.112.61;::ffff:18.66.112.82;::ffff:18.66.112.53;::ffff:18.66.112.13;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001041349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.902{5EBD8912-7B3A-6151-3A78-00000000FC01}7120polyfill.io02a04:4e42:a00::282;2a04:4e42:600::282;2a04:4e42:c00::282;2a04:4e42:800::282;2a04:4e42:e00::282;2a04:4e42:200::282;2a04:4e42:400::282;2a04:4e42::282;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001041348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.902{5EBD8912-7B3A-6151-3A78-00000000FC01}7120gstatic.gitbook.com0::ffff:104.18.8.111;::ffff:104.18.9.111;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001041347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.902{5EBD8912-7B3A-6151-3A78-00000000FC01}7120unpkg.com02606:4700::6810:7daf;2606:4700::6810:7caf;2606:4700::6810:7aaf;2606:4700::6810:7baf;2606:4700::6810:7eaf;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001041346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.899{5EBD8912-7B3A-6151-3A78-00000000FC01}7120unpkg.com0104.16.123.175;104.16.126.175;104.16.125.175;104.16.124.175;104.16.122.175;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001041345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.898{5EBD8912-7B3A-6151-3A78-00000000FC01}7120unpkg.com0::ffff:104.16.123.175;::ffff:104.16.126.175;::ffff:104.16.125.175;::ffff:104.16.124.175;::ffff:104.16.122.175;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001041344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.769{5EBD8912-7B3A-6151-3A78-00000000FC01}7120dmcxblue.gitbook.io0::ffff:104.18.0.145;::ffff:104.18.1.145;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001041343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.569{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io\idb\3547115956fbiDreegbaarsoetLSolc.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.367{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AABC69148A154E9D67FE936F98803729,SHA256=8DF38556A784B98C1F5BA3749C381C3D3E6DE38489BA56A2213E1DFF4490CCBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.367{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84DD57ADF736987E8DAF51C0D17DA02E,SHA256=8E81C837F625C4133763286E39DAC65A0AEFB1EABE8915ECD7C20590CDDB502A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.107{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.098{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.098{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.098{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.097{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.096{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.095{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.092{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.090{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.090{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.089{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.088{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.088{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.087{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.062{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.050{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.050{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.050{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.050{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.048{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.048{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000970952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:58.813{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4630414E93C877AA4FA05564129F146,SHA256=BF011BBE42AA720B72E4473E3B77E9AC0F22F68A2D9337B76703DF66A51B75DF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001041421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:35:58.895{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x80000000000000001041420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:35:58.892{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Config SourceDWORD (0x00000001) 13241300x80000000000000001041419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:35:58.892{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_C073BBA9-345E-4F58-AADF-98D983B75502.XML 22542200x80000000000000001041418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.794{5EBD8912-7B3A-6151-3A78-00000000FC01}7120www.gitbook.com02606:4700::6812:96f;2606:4700::6812:86f;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001041417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.525{5EBD8912-7B3A-6151-3A78-00000000FC01}7120app.gitbook.com0104.18.9.111;104.18.8.111;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001041416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.240{5EBD8912-7B3A-6151-3A78-00000000FC01}7120cdn.lr-ingest.io02606:4700:3033::ac43:a339;2606:4700:3035::6815:327f;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001041415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.065{5EBD8912-7B3A-6151-3A78-00000000FC01}7120gblobscdn.gitbook.com02606:4700::6812:96f;2606:4700::6812:86f;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001041414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.055{5EBD8912-7B3A-6151-3A78-00000000FC01}7120gblobscdn.gitbook.com0::ffff:104.18.8.111;::ffff:104.18.9.111;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001041413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.041{5EBD8912-7B3A-6151-3A78-00000000FC01}7120d1j8pt39hxlh3d.cloudfront.net02600:9000:223f:ec00:14:54f:b240:93a1;2600:9000:223f:1200:14:54f:b240:93a1;2600:9000:223f:8c00:14:54f:b240:93a1;2600:9000:223f:e600:14:54f:b240:93a1;2600:9000:223f:8800:14:54f:b240:93a1;2600:9000:223f:6c00:14:54f:b240:93a1;2600:9000:223f:b600:14:54f:b240:93a1;2600:9000:223f:2600:14:54f:b240:93a1;C:\Program Files\Mozilla Firefox\firefox.exe 354300x80000000000000001041412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.218{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65210-false104.18.9.111-443https 354300x80000000000000001041411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.217{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55951- 354300x80000000000000001041410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.209{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55562- 23542300x80000000000000001041409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.400{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ED3804F264AD86EC698EACD5879A010,SHA256=0B8103C5B0BF3505AB76E0E12A8B58A345A99CC8895A5872E60A3CE3EF576424,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:54.537{69CF5F33-7F28-614D-1100-00000000FD01}960C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-542.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x8000000000000000970950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:54.537{69CF5F33-7F28-614D-1100-00000000FD01}960C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-542.attackrange.local123ntpfalse10.0.1.14-123ntp 23542300x80000000000000001041408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.392{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FCC6D7635398E89D85DF1A077084012,SHA256=B47EA9277FD13482E82A220127BC2BEDA3848944699488FE7B4D173FA2D22B09,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.927{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57547- 354300x80000000000000001041406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.927{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-429.attackrange.local49287-false104.21.50.127-443https 354300x80000000000000001041405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.926{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local56691- 354300x80000000000000001041404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.924{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49286- 10341000x80000000000000001041403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.292{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+c069c8|C:\Program Files\Mozilla Firefox\xul.dll+c06d2d 10341000x80000000000000001041402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.292{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x80000000000000001041401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.291{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c04bf0|C:\Program Files\Mozilla Firefox\xul.dll+27c138b|C:\Program Files\Mozilla Firefox\xul.dll+27b4476|C:\Program Files\Mozilla Firefox\xul.dll+bfe10a|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32 10341000x80000000000000001041400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.291{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+c069c8|C:\Program Files\Mozilla Firefox\xul.dll+c06d2d 10341000x80000000000000001041399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.291{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x80000000000000001041398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.277{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.277{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.276{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.276{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.276{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.166{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.164{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.154{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.150{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.140{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.136{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.130{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.126{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.114{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001041384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.747{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52536- 354300x80000000000000001041383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.741{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53599- 354300x80000000000000001041382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.731{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65209-false18.66.112.61-443https 354300x80000000000000001041381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.727{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53146- 354300x80000000000000001041380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.722{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51487- 354300x80000000000000001041379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.663{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65208-false104.16.126.175-443https 354300x80000000000000001041378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.618{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65207-false151.101.65.26-443https 354300x80000000000000001041377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.597{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65206-false104.18.8.111-443https 354300x80000000000000001041376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.592{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65205-false104.16.123.175-443https 354300x80000000000000001041375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.591{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65090- 354300x80000000000000001041374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.590{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57437- 354300x80000000000000001041373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.590{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50795- 354300x80000000000000001041372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.590{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64556- 354300x80000000000000001041371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.587{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58988- 354300x80000000000000001041370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.586{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58800- 354300x80000000000000001041369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.583{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53412- 354300x80000000000000001041368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.462{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65203-false104.18.0.145-443https 354300x80000000000000001041367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.461{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54707- 354300x80000000000000001041366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.453{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53812- 354300x80000000000000001041365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.356{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57899- 354300x80000000000000001041364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.355{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50828- 354300x80000000000000001041363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:56.353{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50550- 354300x80000000000000001041362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:55.592{5EBD8912-7F30-614D-1100-00000000FC01}404C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-429.attackrange.local123ntpfalse10.0.1.15-123ntp 10341000x80000000000000001041361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.110{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.110{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.110{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.093{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.080{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.080{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.074{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.042{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.042{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001041445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:59.928{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D6B9892729B24F32F66C1C4E5917DAB,SHA256=D39AFDDF2519E20EFA5E3D4A4C6910C22E32B283BBA20B8C5BE601944741341A,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001041444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.110{5EBD8912-7B3A-6151-3A78-00000000FC01}7120s-usc1c-nss-213.firebaseio.com02600:1901:0:94b6::;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001041443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.096{5EBD8912-7B3A-6151-3A78-00000000FC01}7120s-usc1c-nss-213.firebaseio.com035.201.97.85;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001041442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.095{5EBD8912-7B3A-6151-3A78-00000000FC01}7120s-usc1c-nss-213.firebaseio.com0::ffff:35.201.97.85;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001041441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.070{5EBD8912-7B3A-6151-3A78-00000000FC01}7120www-google-analytics.l.google.com02a00:1450:4001:811::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001041440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.068{5EBD8912-7B3A-6151-3A78-00000000FC01}7120www-google-analytics.l.google.com0142.250.186.142;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001041439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:59.571{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93D0F3C688AD2ED8FCB465F36F59884C,SHA256=FF0542A7E0B22EAC379810664EC2125D403438186CC6553B5852CD103492FAB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:35:55.865{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58954-false10.0.1.12-8000- 354300x80000000000000001041438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.921{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-429.attackrange.local64812-false142.250.186.142fra24s07-in-f14.1e100.net443https 354300x80000000000000001041437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.805{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65212-false35.201.97.8585.97.201.35.bc.googleusercontent.com443https 354300x80000000000000001041436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.787{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64811- 354300x80000000000000001041435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.774{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53885- 354300x80000000000000001041434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.759{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53835- 354300x80000000000000001041433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.759{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55875- 354300x80000000000000001041432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.756{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54666- 354300x80000000000000001041431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.704{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65211-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001041430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.701{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-62413-true2001:503:c27:0:0:0:2:30j.root-servers.net53domain 354300x80000000000000001041429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.625{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64465- 354300x80000000000000001041428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.625{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98d0:6307:84e0:ffff-64465-true7f00:1:0:0:0:0:0:0-53domain 354300x80000000000000001041427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.600{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64465- 354300x80000000000000001041426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.600{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64464- 354300x80000000000000001041425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.600{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49793- 354300x80000000000000001041424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.600{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50105- 354300x80000000000000001041423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.480{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55780- 354300x80000000000000001041422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:57.471{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59196- 23542300x80000000000000001041452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:00.647{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1521247278D059F758C7BFAF6D48EE99,SHA256=B419B657E69DA1AA802895A609CD50AC02D2DEB61A521E1CEFA2404C2D968D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:00.031{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=072AC20A72CCAA32B7E4957D21B69127,SHA256=FDEC3F9A24B95D77634199B3C2FA7CF2722B8588F5DDF5C20E7495CED178DCB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.594{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65215-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001041450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.594{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65215-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001041449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.587{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65214-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001041448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.587{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65214-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001041447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.572{5EBD8912-7F30-614D-0D00-00000000FC01}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65213-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001041446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.572{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65213-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 23542300x80000000000000001041477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:01.667{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\cache2\doomed\11860MD5=6E912D4CB46F5EB7524B8778CC13084B,SHA256=B4D81AEFAAE25173624D80642E125E780130130DDAE000BACD74F9320909A000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:01.665{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\cache2\doomed\16584MD5=4578E7070970F586580D8770D2F9FDE0,SHA256=4D993E77FA4D7947476777E6F19E07575B7534993719507424B17500E14361D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:01.653{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC4EC688C6C007131FCB45CB7A1AF5A2,SHA256=5B05BB44B3BEBCCEC91B4F9004D2E20102C903CBC98284ADEEDE74DF7EED33DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:01.266{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B12A649CEB83400539F14C593F00CA3,SHA256=AB2C8DDDEC6EE2F145F98368492D5E0057827F920FDACBDEC6BC7DA2884CAF2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:01.237{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:01.237{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:01.233{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:01.233{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:01.225{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-8271-6151-2679-00000000FC01}6976C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:01.209{5EBD8912-79BB-6151-D077-00000000FC01}46124936C:\Windows\system32\csrss.exe{5EBD8912-8271-6151-2679-00000000FC01}6976C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001041468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:01.207{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:01.207{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:01.207{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:01.207{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:01.207{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8271-6151-2679-00000000FC01}6976C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001041463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:01.207{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-8271-6151-2679-00000000FC01}6976C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001041462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:01.191{5EBD8912-8271-6151-2679-00000000FC01}6976C:\Windows\System32\InstallAgent.exe10.0.14393.4169 (rs1_release.210107-1130)InstallAgentMicrosoft® Windows® Operating SystemMicrosoft CorporationInstallAgent.exeC:\Windows\System32\InstallAgent.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-79BE-6151-7ED6-4A0400000000}0x44ad67e2HighMD5=88C7DCDD735B31E4F5620E4B9F38C87F,SHA256=5EF1322B96F176C4EA4B8304CAF8B45E2E42C3188AA82ED1FD6196AFC04B7297,IMPHASH=EAB6EF3DE625719627DC808B5F0501FC{5EBD8912-7F2F-614D-0C00-00000000FC01}828C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001041461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:01.149{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:01.149{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:01.149{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:01.149{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:01.129{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001041456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:59.221{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57479-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001041455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.680{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-62808-true2001:dc3:0:0:0:0:0:35M.ROOT-SERVERS.NET53domain 354300x80000000000000001041454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:35:58.607{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50279- 23542300x80000000000000001041453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:01.085{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\permissions.sqlite-journalMD5=C853317EB6FFD447801B5A0E8BB93602,SHA256=305DC657DD0379FB02706127C77A2F1B851D29249FA965E9363D135105C400BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:02.801{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-walMD5=AFD9C54A71C1AFDDAAF44EC738DD021A,SHA256=AA77A7E71F893F91971AC4F7B167D231ADCAB9BA0DF13252EDB625544EBB58E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:02.799{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-shmMD5=70415C5DC46278BD0E681108EEF2D4F1,SHA256=A16E73DEFFC27640EAF68E6697CFE7B55B4F448B8C8FDD8F3A5B7D6FD8DFCC1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:02.795{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io\ls\data.sqlite-journalMD5=4B9FEE99FFA73366B479B232A520B68A,SHA256=157EB332D0EF7CF759A42B8D8407A6A874397E474B9CA254C9AE619A298F2228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:02.776{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io\ls\usageMD5=D13120FD3588383D179427E60E3CD802,SHA256=52D12AB0A3FEFB8128D589A9001C57430F3DD258A41F2F45D4A58801D7342F4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:02.766{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:02.762{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:02.756{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:02.748{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:02.740{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:02.724{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001041479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:02.679{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0BA1D1F26AD194215D3D432867338FD,SHA256=1D60437A95B65D7DC62E78A0B5FF218AD54287A41928B3AADCB646ACA944426D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:02.328{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1344C900E0FCB4F3D6683E68C6FC0E8,SHA256=131221085602478C6A4F37647A8DDB92376CCD75905F368135EFB01B8A9AD31D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:02.153{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4653742911865F20CF5A36DF44B20D14,SHA256=DA210D6B650FE98725F47946F7E67E3C22363BF27CB23077B0F5673B0ECE9BD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:03.390{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=435B629016DF9B71B2223857D5194B56,SHA256=BEF79D6B18DDE3261AEC77956BA4CB2481BC9AD9C35FD9E1A652756A23019236,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:00.436{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65212-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001041492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:03.689{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B78E9C25D205F4CE2AF5E0E1FBACE503,SHA256=D084F0D9C3BB865F4C4A3036ED7B4AD0921290A1D9810464D2FBA1FF9E8398EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:03.274{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=190B9EEEF323BAABA7E6E126A4517907,SHA256=94E0AC383DD80D7A7129CAE1897251303D3F1DB6CBA6DDB382FCE218798FC82F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:00.928{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58770-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000970958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:03.359{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28C936B54E42B0B8A901E864D71C8A23,SHA256=79F0274A585F1FCA5623729BF9FE0C239C2CE13CA1F9609D475E457012955FD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:03.359{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C67F748BBCC49DD1E25B0F5DEE0C99D,SHA256=F3F8ADFD8C7C83293D1FE2A564BDDDF74633DD24001F2193E1D311EF18D266F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:04.992{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:04.992{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:04.992{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:04.992{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:04.990{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:04.990{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001041511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:04.768{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAE94176971B0698A8A24DEF81BCE5E6,SHA256=923E7D1379268A4DFB559F53F6F78CEB2A1BEE089E738B3FA6D3655FCA294040,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:04.453{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F10415C42446A5EB300B20A5256F96,SHA256=9168FA63BA6DD5EDB28608DD2ADFEC7256B8C98F98AE073624C76B75A171250C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:01.772{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58955-false10.0.1.12-8000- 354300x8000000000000000970961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:01.747{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.135unn-212-102-35-135.cdn77.com53994-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001041510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:04.542{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:04.536{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:04.532{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:04.522{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:04.522{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:04.512{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:04.507{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:04.497{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:04.488{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:04.484{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:04.478{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:04.452{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:04.259{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001041497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:01.389{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65133-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001041496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:01.335{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-62413-true2001:500:a8:0:0:0:0:ee.root-servers.net53domain 10341000x80000000000000001041495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:04.099{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:04.099{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:04.069{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:05.912{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:05.908{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:05.902{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:05.896{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:05.890{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001041522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:05.799{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=972B9B14AF9D8B6AA152BCC2F69A53A0,SHA256=1944B5A29B3B338E3E3274FA2286559FC42BD5C032B37B3396E65C5E1C57ACBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:05.468{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0F1848F2CCBCED980FB2399C9182D3D,SHA256=78445ABFFDF286663F8B27E9ACC60791E8AC7C941E638A97771E0FC3CDD14528,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:05.699{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:05.699{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001041519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:02.785{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-61167-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:05.070{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2C75CBA54E4BC86188CED186B13E8D7,SHA256=0F9EFC40D5C1D1A9E3A4C7E069A1CD736D4A3DC22625A1F3ECC5CF6F505E6E19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:06.484{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4137DB0E4072C4F9BEA27AFC47D11B43,SHA256=537C9C12C19649C7CDB792CC3039FDFAED58BD87E103CDF4B3C5DE31575C4C5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:06.807{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E229E18285BC3976FCD229F9C5CCA53D,SHA256=02B3874BFA1E282700136FF38943BC01D4E8399A818975D67DA60A34647EDFA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:04.092{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-50123- 354300x80000000000000001041530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:03.704{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65216-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001041529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:06.124{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:06.116{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000970965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:06.109{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28C936B54E42B0B8A901E864D71C8A23,SHA256=79F0274A585F1FCA5623729BF9FE0C239C2CE13CA1F9609D475E457012955FD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:03.618{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-60471-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:07.718{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37E052D80EF688718800B86F2A274B72,SHA256=40569F9D439BFC6BFDF1637681560E64155942371F03B51E976604C17613EE19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:07.834{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B2C90130343EB3F4195389A9AED693,SHA256=8223EFD0747C62AF93996BEFC3651F3C523CEEEEA58E9590CFA463CEB71CC3E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:08.935{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-walMD5=67911EF258C810BBCFEC68CEC6AA9D41,SHA256=246C7A16FAB8C6F03D53189A2BA4B998AE6AE43E2C6DE7BE73DC6B6D447FB4E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:08.933{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-shmMD5=1110C8BD4A5B6B59B6593EF7CD47CCF6,SHA256=0BB3B4CB38AA1A83CAD0C4E5CD2BC683672A2F9CB77814B39E0BFBBBB9A9D668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:08.927{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io\ls\data.sqlite-journalMD5=7072EE97D736E99EF6C02F790997DB41,SHA256=163038E0ECBC5FD830CA3ED04DF604C94A4DE4E4093CA10636FA3F26A66F4B84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:08.911{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io\ls\usageMD5=D13120FD3588383D179427E60E3CD802,SHA256=52D12AB0A3FEFB8128D589A9001C57430F3DD258A41F2F45D4A58801D7342F4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:08.839{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3295A9E781EFE0C0110DFB168317DD0D,SHA256=277372F0DA4AE90DC280B8FA7B47F4595E5EF09BD9AB7EE116A2119F55537DBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:08.953{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1305E24CB2B97C8E27EB2EF0B748EA30,SHA256=A9AFE69D0CC7C9B9450D569F20131619CC68AE219E7429ACE14F7D984763902D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:08.276{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=550A806342D239EA037611D8EAD82431,SHA256=570665EBD5AD6D3D817184D4F78FEEEA1720FD6B6FB6A12BE3ED0A1765F7E24E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:05.844{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-62413-true2001:7fe:0:0:0:0:0:53i.root-servers.net53domain 23542300x8000000000000000970973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:09.955{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB5C840B54142BCB5A6CF800E5B432A2,SHA256=7CBB9421F76E704B568861B796DBB00592E913D0D06B7569421B18F775D4D126,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:09.955{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=283BDFAD44CAED4789F5E976BA4B5FB1,SHA256=3588E49F2590F694B188E47CC6C7AEFDE4309A5EFDE4FC90334334326DFAF4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:09.962{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C3F18688DDF48934BEB12DBD17BD2E65,SHA256=B915D6B2786BCE596BC86F214D14FA6FFC1B53AD373FB16D750FC266D16F2906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:09.960{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EBA84BE9128B0968D949BB3C1F8A630D,SHA256=6ACE3AD42FF70BC11946C0EEDBE7579651D33839B4989D6165BAB838D1E3B3EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:09.854{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0334052327358C629659F7F2A3633C92,SHA256=A3D9A9E1AC327F7F6D295191EC19B1051119D890923D7D3D390632E4309F26F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:09.140{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02610A3A22F5E6829C7935C3A5EC13D1,SHA256=421AE6D5EE1E2673144A2898BB6C166D88B2B76B167A1BAB7B962EF4B67D6356,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:05.576{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62958-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:10.970{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4932EFF0F351C622C584B99591A8AA2,SHA256=06AED6106AA7DEC374341B64D172F86E170814619B1E59D25872ABDAA0EB9560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:10.964{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D9E74EF71C39B56D42FA93C4FE10D94,SHA256=CB941444336D9F41F658A84CAF37DFF56C841EB99109254C542E055A2DF390C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:07.755{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58956-false10.0.1.12-8000- 354300x8000000000000000970975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:07.294{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64201-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:10.192{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4273MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:10.675{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C836EE7A6A36CCE1F8E22D6970E98773,SHA256=714385780A20F39279A4A519D6102169C362B7446925FAB08E8F449C883221EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:11.971{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF22AF403B9B3F99469C2494E0213671,SHA256=1DD53B2219127A4A8861801C240057032AA046CF073F638686818860287B2A44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:11.971{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F698663ABBBC4554FA5D8F165CB6633F,SHA256=87457279EBBA39C0AA71BE1C933C0BB8554411819DC8DCB9B946EF03DE7C64E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:11.593{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EF4A86D69B190233BD6CF6CE77AB999,SHA256=0C751525D12383CC8213F226B9A2DFF2FC668CAB4B9ADAF67D55909B4CB05058,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:11.206{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4274MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:08.745{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65217-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000970983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:12.971{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC8DC2773898BFB804A8B744987085A,SHA256=CA6601A9A39C6A99998161584D7599A5CC39ECC04786BF32F5C4245B3FAAF2B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:08.845{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54178-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001041554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:08.902{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53446-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:12.269{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=DCA6C2BB0093D93D0CAAD2D6B961E9F0,SHA256=DCBB5100A3A3BCC550FA8B652A21D5ED3B1CFCBDDD3960FE41CCEA54D2361013,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:12.267{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=7DAE8F4E29C2F2815603988EB150A149,SHA256=AA7D67B2E07E0D9DF1172A2657A938F9F7C1FA1024E1DA5C1E8A5CDD0CD2CB55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:12.265{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=51CBD5B236D40102C1B518D027346B45,SHA256=DE0E5B878029D0010849A0A50FCE9122795439C38181BF02FE9E2DE38B779DFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:12.265{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=DE807A180877F302A70FBC06FC37CDAF,SHA256=4B3E1BC3646944B042385F82AF5B84934CD028E236EEDAF4808F0FE1C9598148,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:12.263{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=900E59F28465FE81DD7F05ED967BACB4,SHA256=B23F8EC45B3FA5FF6CBD105DEB146089F064FD895D9393D77EB2363253388D62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:12.261{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=E0749ED24EA648D90438A541AE1FEC8E,SHA256=2F04D24BE4CB590337D71A6A93734636D3C1D98D76F3F878D4FD4BFC04002988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:12.909{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:13.987{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B46AFB1A9856950B08040999C5C984,SHA256=74C056861735C109A0E8362F435D54B58BAEA3D0D1D0F1E9334BB4E1ECF92E46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:13.124{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=496F6FDFDEF86339AD42AF53394757AD,SHA256=2D33681BF35DD2B7523FB098292CDB1175A4B18223582A53A1FA15B8CD92074C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:14.185{5EBD8912-7F30-614D-0D00-00000000FC01}8884380C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:14.185{5EBD8912-7F30-614D-0D00-00000000FC01}8884380C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1100-00000000FC01}404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001041556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:14.143{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=536A9E62BA7D34C7B922D145D3B77A04,SHA256=B19DD520320B49F7D581DEFA1D2288FBB1E4BCF192AE540C501C29635EB32BF8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001041565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:36:15.711{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x80000000000000001041564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:36:15.711{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x80000000000000001041563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:36:15.711{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x80000000000000001041562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:36:15.711{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d7b37a-0xbc4aa9b6) 13241300x80000000000000001041561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:36:15.711{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x80000000000000001041560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:36:15.711{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 23542300x80000000000000001041559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:15.148{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C9B9C33422D917DAA7E0E2F057B95F,SHA256=2CE01D422987959DFDD10C012E2245A4AB60BFF23204A14C5164FD755BC5D9CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:11.540{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58957-false10.0.1.12-8089- 23542300x8000000000000000970985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:15.002{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82E04E1F9B892A6D895892BFAC24782C,SHA256=738DEC27672551BACF3F984968423BAF533E26F8D71FCB52C824EF78C4563919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:16.112{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E446750FAE0A565686D39FA135B7B030,SHA256=3FA0101BF6F488C0A9D468A0097F552A3DDA3259DC67C22AC64A6C3CF2DB9208,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:12.867{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58958-false10.0.1.12-8000- 10341000x80000000000000001041604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.463{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001041603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.463{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001041602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.463{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFfada79b.TMPMD5=A17B66D50B2357EACCE2ED2DF6BB26CA,SHA256=94B227138FA3BBDC703334C2B58C4ADB8CAEEC359A8FC16A5D99B6841C804924,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.453{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+be47e3|C:\Program Files\Mozilla Firefox\xul.dll+be39b5|C:\Program Files\Mozilla Firefox\xul.dll+be9f5b 10341000x80000000000000001041600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.441{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.439{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.439{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.439{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.439{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.439{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.439{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.439{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.439{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.439{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.439{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.439{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.439{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.439{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.439{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.439{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.439{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.439{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.439{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.439{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.439{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.439{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.439{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001041567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.439{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\aborted-session-pingMD5=878986DE951806A8B8C887625EFCC439,SHA256=26D8A1622BEA65AE010F243D46823D4B6FFCA775CFDA5870FA33EF489F21DEA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:16.157{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00A9B311B5BCB768DBCC314B5AB17264,SHA256=F7DE54766D52262AD16D8BBA4E5B3C1247B23F37F25A0DBDFB900A305FD5B551,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:17.346{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C195973FB1578527EFD1FDEC328E44E,SHA256=C2450CC64D3B4D800E633DFB62EEC6DA30054DC5BA6988CDCFE0CB81871D3CBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:17.895{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\session-state.jsonMD5=680210C01B633D2033406BF1D4EE2D47,SHA256=772B857D8F68B21C39CE6798995A1DF8C17489210EA2DBCAF65B3FE68FA36526,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:17.482{5EBD8912-7F30-614D-0D00-00000000FC01}8884380C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001041610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:15.679{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65219-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001041609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:15.679{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65219-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001041608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:14.723{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65218-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001041607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:17.202{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=980C139129CACE1C86750A6B9550F7EC,SHA256=E64319571F4345EC1B7CB42B88CB0CBF4C71BBEA5A159438FE9CBC1A48C68BBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:17.016{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=444DE45E5E436B0DEAADE0F30DE32AFE,SHA256=4E02F55650CB30932CF5C55E3B4AC96E8236F082978C0D0B1426CCF950BC6D9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:17.014{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFB0F22C83F47591E353C42C7F2323CD,SHA256=C137BC1CF250E56A6040F4382167BDD9F7ED4A16384AB667B075C793D3A85BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:18.393{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11966E415BDA0EC81F74BC701F44DEAB,SHA256=98FCBF75C7E93A5839888522110BA4A0D0179C275E49452D2EA80CCDDD7C7195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:18.210{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABA183FE3F9418A2C1400C0B0ACEFFE5,SHA256=57942A88D916F68686BABD64267040683ED33B8009A08810D9317E6266170CCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:19.612{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F81803592E5FE10D33D095355F4F77C,SHA256=1ED7DAAADD646CECF9679C077329F85EAD91ED851053FEEE9609195F8200F1ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:17.578{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51329- 354300x80000000000000001041617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:17.578{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53219- 354300x80000000000000001041616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:17.574{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59436- 23542300x80000000000000001041615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:19.217{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A08C86C2BEF85C710A05D7918AB6C24,SHA256=5BE57C98D552F039554C4DD534B438A6F166D3D5A8BA44BE402B3B62B31D0566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:19.159{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=403CB1B8BFA9BB4AD6323989348C5E6B,SHA256=C0ABC75CE657E90A8D834C739B70EAC3A7D588DA7334016CFD8300071C3554CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:19.159{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B5C67636F1CCC7BADD58EC4B696106B,SHA256=2509E0808C023E552C8EC2E1F6BC3209CA4FF46DEAD0B4DC986FA613FB15C366,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001041614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:17.887{5EBD8912-7B3A-6151-3A78-00000000FC01}7120pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com035.167.102.239;52.24.163.249;35.167.137.152;35.163.235.15;52.43.83.211;54.184.190.181;34.216.113.46;35.155.6.125;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000970995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:20.846{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A3E115AD5BA241B02D9118751B0CC4,SHA256=1C2E09C416378AB070E028CF5CE14E5095F41E5EA1483DBE328E6D329C19B3D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:18.712{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de55585-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001041621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:18.431{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse119.167.194.165-52218-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001041620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:17.719{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65220-false35.155.6.125ec2-35-155-6-125.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001041619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:20.227{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A306145E7B4F1652A88549342C3953E4,SHA256=29B8B5FD585B4AAE3D6149AB299886E33285A4DC10F30EA79E8DA85C67E5E45E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:16.499{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58882-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000970997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:21.989{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAA7A91FEC73B068DB1A5E68F5CC86EB,SHA256=FB62EC25B429D35827E9B3CE1188A56A87A7C201388A07F12F398B8B8643E740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:21.244{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=444DE45E5E436B0DEAADE0F30DE32AFE,SHA256=4E02F55650CB30932CF5C55E3B4AC96E8236F082978C0D0B1426CCF950BC6D9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:21.234{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58B963664D54D139975C2C414E8BE667,SHA256=82AE2DBBD5F2627393439E5ECE1F124EB6F25459278235168BC5F7D2E6049034,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000970996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:18.820{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58959-false10.0.1.12-8000- 354300x80000000000000001041627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:19.966{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59448- 354300x80000000000000001041626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:19.723{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65221-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001041625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:22.253{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF45365D7A2CCAA0F4678336A10EEAC,SHA256=621E819A996DD317087D3C4DA0EA35F9410E7F6CA392EC8222A552C509331AA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:23.112{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF95C12651847A4A02DFB5D2DAF2388D,SHA256=F7B020718A4A58E87201F4C0CB5CB82E6C49406CD0C831DC09713A8A237D2AE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:23.801{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C15416DFB26DF3FE337D9688AFED6D1,SHA256=24E2E6B7B30DE81FB2CAD5BC69109AF7D15DB17F6F86BCEA1FA586774F27FF38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:23.275{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5CFAC8CF2BA9FBAAD2C69C32578ADB0,SHA256=8AB8EAE382D42FDF4A9D93E929F69136DFF62722F4F7550953B66EE1ECC85DE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000970999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:24.128{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B35127B99779CA29E79FE1D70CE6DE8,SHA256=A097E1BDB961F84C068E1154709CB67A5A52DD05B479A9BBDB619CA607E1386E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:22.193{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60040-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:24.284{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F925851AD11158AD5365DA074CF8DF20,SHA256=24DCDABB849B186D80BCC0A0F0F01EC4BD8BC8112E97CEFCCD839562762DB1C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:25.892{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=5260398E6A1E11822D6765C6B4173A6A,SHA256=29A6F73BB20DBF4CC01B3BF497D83211F13964A8B629F21597884EE7D1CB3EEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:25.890{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=4BB01AD6A3C59503DE118B0B8783EC71,SHA256=F031758B425C270514A382FEB29EA18596CDB3EB4EE5E8337799DE7056EFC5B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:25.888{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=49A84A655BDA11B08CD9EB0C5B23500B,SHA256=DBD9147A82526CD56A3E594EB4D5E2ADCE1D5CD390E00ED5FC8CAA11DBB28C6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:25.886{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=7E8044D111E4835944F20C1A86AB39E5,SHA256=DEE500B4261D257051040E41FB9E4A3162DEA760A653B7923E8063C4D8A5EB40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:25.886{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=6C24BAFED8D6C9BFA10BAE00967853B4,SHA256=9CEE3F77E838A4B85A1EB303B10D0B6A284A00E15CF6E3200C9FEE13A333D412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:25.884{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=61F6B3992582A0657A719BE920E7FCFA,SHA256=9EF209C88676A11FEF8BC3D77F1EA9FA84BC4F7BBA7861DD9BF286CB3A72C5ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:25.351{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F021E1558D91EAAA24DC1CB3F27108A,SHA256=E21C08D0587B29372E2D3D7FF67E10D6396043A04064CE7FE992477BFDB607CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:25.143{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1542ADAA7FE647DCD73D3B40EF4D6F0,SHA256=F898FFDC10928707A92FE8B5A93BD17BF9B9B5ADB142373606C959FA28861B28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:26.585{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACD02BC4C3617895A391CF1151AAD0F9,SHA256=C6F17AFB70565073E421435CCC726487696E1B4FE98B2C804F6E71E854C55895,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:26.878{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-828A-6151-CA78-00000000FD01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:26.878{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:26.878{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:26.878{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:26.878{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:26.878{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:26.878{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:26.878{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:26.878{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:26.878{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:26.862{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-828A-6151-CA78-00000000FD01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:26.862{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-828A-6151-CA78-00000000FD01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:26.863{69CF5F33-828A-6151-CA78-00000000FD01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000971015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:26.393{69CF5F33-828A-6151-C978-00000000FD01}18323680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:26.190{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-828A-6151-C978-00000000FD01}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:26.190{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:26.190{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:26.190{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:26.190{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:26.190{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:26.190{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:26.190{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:26.190{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:26.190{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:26.190{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-828A-6151-C978-00000000FD01}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:26.190{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-828A-6151-C978-00000000FD01}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:26.175{69CF5F33-828A-6151-C978-00000000FD01}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000971001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:26.159{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9FBF55AE82F4A3EB8553291E0C0B39B,SHA256=6953BEBD0D75DB84024915B52684B2A268B6968A04B7093566C0D982E30E3B29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:26.485{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DBD4CDD6FB65FB8A8E51B3B4D0F9166,SHA256=C0A5C4155E99395D91CBB436A73FF6B8029A3AB037270245ED0D2B083B9EF47B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:24.760{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65222-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001041642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:27.592{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=306B654DCBF4A23712E010E3FA21F2C2,SHA256=A372A2D75963025957AC44AEC85448012C3DE74BF78FD403A6409A86482B6726,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:24.743{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58960-false10.0.1.12-8000- 10341000x8000000000000000971045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:27.768{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-828B-6151-CB78-00000000FD01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:27.768{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:27.768{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:27.768{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:27.768{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:27.768{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:27.768{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:27.768{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:27.768{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:27.768{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:27.768{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-828B-6151-CB78-00000000FD01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:27.768{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-828B-6151-CB78-00000000FD01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:27.754{69CF5F33-828B-6151-CB78-00000000FD01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000971032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:27.315{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=971B48F866249BC14EC61BAC857CCEA2,SHA256=860918777F066BF11434379D11E9870DDF3252FE8A9BA762F787DE2F66D6D7C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:27.284{69CF5F33-828A-6151-CA78-00000000FD01}2004956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000971030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:27.190{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A72589D75530870BFD4106C397637D0A,SHA256=4CF8EC51708F65033FFED4F9CA360EBFEF79A8F454612CC9A660F7681D9D9DAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:27.190{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=403CB1B8BFA9BB4AD6323989348C5E6B,SHA256=C0ABC75CE657E90A8D834C739B70EAC3A7D588DA7334016CFD8300071C3554CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:28.694{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2719DFD21A5C20BC17B53B60D0A8FA2C,SHA256=710B4179163833E220787A7902B10DB29251D73492B1AC9C353B23E39BDEF962,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:28.971{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A72589D75530870BFD4106C397637D0A,SHA256=4CF8EC51708F65033FFED4F9CA360EBFEF79A8F454612CC9A660F7681D9D9DAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:28.628{69CF5F33-828C-6151-CC78-00000000FD01}8202352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:28.456{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-828C-6151-CC78-00000000FD01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:28.456{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:28.456{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:28.456{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:28.456{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:28.456{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:28.456{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:28.456{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:28.456{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:28.456{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:28.456{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-828C-6151-CC78-00000000FD01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:28.456{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-828C-6151-CC78-00000000FD01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:28.441{69CF5F33-828C-6151-CC78-00000000FD01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000971047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:28.378{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=866B8609244E8FD99261D9800DEFC3B4,SHA256=72E56B0E3883A54192103CF45377549489D3D46E60277A01F259C94E2F53F7D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:26.687{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64565-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x8000000000000000971090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:29.956{69CF5F33-828D-6151-CE78-00000000FD01}18923280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:29.721{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-828D-6151-CE78-00000000FD01}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:29.706{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:29.706{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:29.706{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:29.706{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:29.706{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:29.706{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:29.706{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:29.706{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:29.706{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:29.706{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-828D-6151-CE78-00000000FD01}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:29.706{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-828D-6151-CE78-00000000FD01}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:29.693{69CF5F33-828D-6151-CE78-00000000FD01}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000971076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:29.690{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D4E2DB47DF53EE8CB35712EEAB5E438,SHA256=6243678952538EA738F9B42052912DC9A9B1B296D1E3AC049379055E25E6536F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:29.695{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B2466A536F2616279A99E0B4FF59D1D,SHA256=75DB60E03C5E8BAEFB96DB41F9F0D75EB8F25BA10B606F9790292D30D8BBB325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:29.184{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29B69486042AF14105F056F63DA43711,SHA256=C329A6A4873155B1E9CA08C4ECD52154C43E0D556151D5B4033F6668774C519D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:29.096{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-828D-6151-CD78-00000000FD01}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:29.096{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:29.096{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:29.096{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:29.096{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:29.096{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:29.096{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:29.096{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:29.096{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:29.096{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:29.096{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-828D-6151-CD78-00000000FD01}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:29.096{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-828D-6151-CD78-00000000FD01}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:29.082{69CF5F33-828D-6151-CD78-00000000FD01}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000971092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:30.925{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4965B96C06364C0781BBFA48724733DD,SHA256=ADE4CD80ED8D236241AD4CE8854E08AE703E03710305AD4FAB2D2CA04388987D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:30.744{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C914818BAC3DE2FCA814633636B776F,SHA256=7340A21BDDA350AF3CCC796F5B74AEF9DB4958ED67FBC2AA35A23790707B0BF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:30.096{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB80720F8D29739279FAECB271C4658D,SHA256=728A82F25E4940476195B3D3431D1E25D8284A38E8EFCFE5796DA9900A2CAAEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:31.810{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B07933C0A29AB03D64FEE0BB887DE7D,SHA256=128E5DB8DD57E2480DD8CA2B3BEC9D272E6B8AFB3998D4281D05F33EEA18F993,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:28.945{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58961-false10.0.1.14-49672- 354300x8000000000000000971094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:28.617{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-65514-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:31.315{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20112B06D4508448FEE7CE8DAECF02DB,SHA256=67D3A73D497F7B6618BF2A6347F543EAB1DCDABA51D03FE0FE4702D15984C81A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:30.040{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50248-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001041649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:30.001{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-58961-false10.0.1.14win-dc-429.attackrange.local49672- 354300x80000000000000001041648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:29.866{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65223-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001041653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:32.812{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=363BFDEBB61AF41C8536310C077F1488,SHA256=3E9D77ED4CB0A558DDC10D8298E541E486939370B7426C75D7B1D1A014C84DFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:32.268{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=EBB31992B09056C56D9CC4A6E74103D3,SHA256=D795A182E1F73083029032C1B38D177DF0CACD79E42F47CB2B6AEA04DB59FBBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:32.143{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B663F0F753F1870D4A126DD776EB383,SHA256=6E56C2FF7239AF8C691A5A97F04479683D438B97C03F3D976B2DBF75C8F206A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:32.111{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AC50FCEBB35ECABAF54D50215E3CD55,SHA256=B599E406035DD569E160AB5994EAEB3244D0032D0C96DDF5837DF1534C7A97E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:33.835{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8D1C10D16D9D9A998D017A0C356C716,SHA256=033DB3CD571EC28DD4994E405245096ABBF85376E17E4985199DA8E81EDCED95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:33.237{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D624C71883B12D81CF67453BD4ECBCCC,SHA256=CD6CFBECF2338EBD5A92D0719C0C85ACD0ED0751314C2A1266196FAA45EF846A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:34.837{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABBA532830365FE80480C844EA0AC48E,SHA256=4238E68369E7C7BFD929ACCF3B68C3436E274C59DBE5AAD1ADEBDAD1B101C833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:34.253{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D4DBC8CF1A59B5215334475E01D517B,SHA256=C3B0DB532FFE691522C1AAEBFCB5ADFF9C476454FC061339F64A9C1FC488542C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:34.621{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000971099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:30.680{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58962-false10.0.1.12-8000- 23542300x80000000000000001041669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:35.838{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCCC63E0B54260AC74C5DE1428C2602C,SHA256=C6A8E07C833D96A7F0186BF928150AEF0F8A25CD970555BC8991AF74DDFD9BEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:35.253{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD75538508B3A39A6825C459D1F60F80,SHA256=3487EB9D0C42ECEC82DB559B2B52E5D45F2DBFD9794BAD3448E7AB79DCBBB2FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:35.791{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:35.776{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:35.776{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:35.723{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:35.723{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:35.723{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:35.723{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:35.691{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:35.357{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:35.357{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:35.323{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:35.323{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001041672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:36.841{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA041426BE1783EBD6425FC758DE69F,SHA256=650C9AC7F5405664AB24C2A1466B4292E34A1284C3E30B6E047990479648B75B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:36.612{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF8825B190352DABF1F4088410606959,SHA256=823B26095A3C650FF8459D850263180BCF35234B565F3F961F48D8CC95BB735D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:36.612{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59516B7D05A202910E9D514AA265CD63,SHA256=6154755012FD48B4AF0B405F9F40A48E10EB407B070ACA9385B3AC53E04F74ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:36.268{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55FF750378406FEC41F1ED413AD818E6,SHA256=2B8718EB266B071B713092FF62075128F6D70ABA0BD249D2810793BAB27E73A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:36.609{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:36.609{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001041674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:37.938{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8B01D5C7E4C741A7A21BB6DD19BCA35,SHA256=FEEBADFA56C85709AFE19DC51BAD986026E2E632E99CCB7F6F18D353EBAEB3EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:37.268{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F6193A4D0CF5319BCA61C59EFF0F6C6,SHA256=A30EE265770CEC24C47A68B9FBE67C0D6E6E919382AD50FBED49C9766FE57062,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:35.488{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65224-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000971105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:33.926{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com19581-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001041681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:38.976{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4F055E948FB23EC88832C5CAA1B4711F,SHA256=1B316C1F20FA92A64E4F69DB1593525915500045790B8118562E270C9D032C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:38.964{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12798E03133D40598C9F695998FEECC2,SHA256=8B57E3EE885D70C452C5E3670BEAFEE01C0D5DEFFBEE37E764E0732D5252CF3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:38.440{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8296-6151-CF78-00000000FD01}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:38.440{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:38.440{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:38.440{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:38.440{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:38.440{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:38.440{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:38.440{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:38.440{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:38.440{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:38.440{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8296-6151-CF78-00000000FD01}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:38.440{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8296-6151-CF78-00000000FD01}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:38.425{69CF5F33-8296-6151-CF78-00000000FD01}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000971107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:38.284{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD3BA2B56107C1D9FAFCCFD0F7710EA,SHA256=5D4624A084F6CAEAFC69B52A495841998C08869417747B5C2F39571BA198507E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:36.225{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com22173-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001041678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:35.748{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65225-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001041677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:38.644{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4273MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:38.464{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C2F142D065E55D81CBE93459A383C7F,SHA256=7B0BD395B8939515F0AF9D49BD76DBE9473C31BBFD78535E1C57592981516F0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:38.464{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD1EDE74BC205823DDD469A97BAB1D15,SHA256=EE754D4A486726F689FCC2B36C8D1772553A47B9E5F0E9C2AC9CB73C911C1EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:39.440{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF8825B190352DABF1F4088410606959,SHA256=823B26095A3C650FF8459D850263180BCF35234B565F3F961F48D8CC95BB735D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:35.883{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58963-false10.0.1.12-8000- 23542300x8000000000000000971121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:39.284{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFE1934ACD3F1492854D97C36E241C1D,SHA256=6DD7AE40D8B266B8F50B1579E0A9090A45297B9477FE38CDA14EE936D6ABADDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:37.331{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54755-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:39.642{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4274MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:40.754{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-walMD5=578B3645740A892927AC5A055C3DD15A,SHA256=4276E7E01DEF9426EFA4EC1659071C2C2C306FF62210746B9467B407109D5FEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:40.752{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-shmMD5=727BD8E3EFBDC89DC8108F7052CA7C71,SHA256=793A051B88AA03D7E2C9D583E7D1FA63BDB30FA6A644A0B2FE60B19471FDDD66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:40.747{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io\ls\data.sqlite-journalMD5=16678AF9C8F1177AC39B8BCEADDB8782,SHA256=BD328F1A9DB9085DEF2C923572A767D02677E94291237F98D862D3865B5475E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:40.731{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io\ls\usageMD5=D13120FD3588383D179427E60E3CD802,SHA256=52D12AB0A3FEFB8128D589A9001C57430F3DD258A41F2F45D4A58801D7342F4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:38.579{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57661-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:40.191{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB3C8166C311256C9A96D67046A89A8,SHA256=74C45EBA7BEF225F431F3396366C7AFEC9973D0737E85EBD5749C2F89A54DBC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:40.187{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C2F142D065E55D81CBE93459A383C7F,SHA256=7B0BD395B8939515F0AF9D49BD76DBE9473C31BBFD78535E1C57592981516F0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:40.956{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37BB09F7EFFF9CDDE866F5C4E8C04465,SHA256=DE2B93F6E15C7B78BE1CBC210696B0A010E4021C5E46320F84DEEEFD9D6B24B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:36.748{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55106-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:40.300{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A484A5B030086A87B6D51320D7B5FA,SHA256=DBC41950B2F45A645EB2D9CD7E95565A0F775852F1C48B036009C762F8FA5592,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:37.874{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55787-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:41.315{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8CBF4E7293A78FD0CD4A88B3241D9F8,SHA256=7575A194A43D500CF987E5BC19797D8E7C493B4DD336AA72D89594CD4069976C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:41.896{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DE60F9C93D20353E2A302C85C808E52,SHA256=9E884314D20CA7F412B78F082DEB468DE6470E41E2BEC834F45171788823AFDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:41.192{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02D373B5777CA60EF0445BCE75D6BFD7,SHA256=AFA58A766410CD88E095FC4DA83D01646F452C900F6DB206C7536EE06B58B4F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:42.318{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=462758190517595D624CEC2E6FECF6AE,SHA256=40C3F1BAA7229A43346B65995E3D3E1F719BF718BF434994B5AE09CB62B82B9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:40.845{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65226-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001041695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:40.671{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56758-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001041694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:40.260{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58902-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:42.204{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCE7066A11C5867B50045211429FE366,SHA256=422DE13DE0FFA55CBFF1230300047867BCF677F4BF6F0A018E1FEEF25D2BB217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:43.318{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C47A2857EB2A028B3131DE85F10E6398,SHA256=1F9324CA0E508202CE1963E3D320ED4D8D105D5D2505C5170AFA8EAF10808168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:43.210{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=172001BC6B9C0720D4199F4786B63F96,SHA256=65BDB9CE0410FD53C31CCD2C8F5055EDC2C34A15FBCE04B8B573DA2048416D54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:43.098{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=121370A160B2F80BDD9DDEDA73632878,SHA256=DAF121CD6204E6619742A22C69450397DD318B7027AABA57A887E2A7BF3C3751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:44.334{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21807EB53E8460EDD0D4076D6783680C,SHA256=D73AEC850886B9253DBC9B9FE81C2C24E62F16ACF51E53408431032C66CAAFC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:44.996{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:44.996{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:44.996{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:44.996{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:44.996{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-829C-6151-2779-00000000FC01}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001041701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:44.996{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-829C-6151-2779-00000000FC01}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001041700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:44.972{5EBD8912-829C-6151-2779-00000000FC01}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001041699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:44.227{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A71767ED43D0CE21398745DAC3C9FB86,SHA256=2B1A85FD92C5483CE29C762F63BEA2AD8A25C8AC55053A82CFD1A02FB8044F26,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:41.777{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58964-false10.0.1.12-8000- 23542300x8000000000000000971132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:45.350{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7483890ABA188CF5421CC0634FDF03A8,SHA256=55AB4BAE4239C5D621D9FDE2B077A453816DAA0B7CF218E7F6335C7088D99480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:45.993{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FD9CD21BADC8953CE9E7F4D82D4BA42,SHA256=B1DA2A9EE434846CB4142E4B3BBCA9492D6840C313A3CD24C755C5E1B497C461,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:45.864{5EBD8912-829D-6151-2879-00000000FC01}39765080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:45.681{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-829D-6151-2879-00000000FC01}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:45.681{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:45.681{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:45.681{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:45.681{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:45.681{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-829D-6151-2879-00000000FC01}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001041710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:45.677{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-829D-6151-2879-00000000FC01}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001041709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:45.658{5EBD8912-829D-6151-2879-00000000FC01}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001041708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:45.313{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB68D068296B23C56A11AD76BC09FD2,SHA256=0EB20C0DBD8C5E835A1AE3CF183057D38E6928861CCCCDBB17AB54D8259C531F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:45.000{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-829C-6151-2779-00000000FC01}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000971134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:46.350{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F386628DB5CA4E01BBF8E8EB2E35FDB,SHA256=D4D97ACF6361F5F8A983A5B382B97BC14B50AE032CF4DAE65B9AFA04445832A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:46.563{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=01981884D2C93B56E2E060A3D16DB805,SHA256=87030E9C89E2A28710D90B668D4997C780939B450609201120DB636E1A740DC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:46.562{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=FE432A279A4A4CAFA4C9ED35D6095A41,SHA256=37E6922B8B4F64200D86EE2BE67999C44F659C2AD1C22EDD793709CFEF069FD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:46.560{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=20B6CB2C2FFEBCADE4C7152B0E185B84,SHA256=6307AD731B89752D953167D63A668B48CBCC8A2B89243E22E954846BEA41E891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:46.556{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=DF6B9BDA17EA443A8C53E532F5A36D96,SHA256=90C0A4DA02C72E5CBF31C5E7B1556B0BEFCEED7C78DCC731A1088D84C2A52348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:46.556{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=93C8DF545983B60C208887265A930008,SHA256=91AC07234A10CCD6148C922A6C9D3313F953CD4B440F33FDE4919D472E87EF31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:46.556{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=D5A1CB7F09E083012705D2C132CC86A7,SHA256=B59639BF0C9300D90C090565706BA1F160EE13D38802EB57FB838FBDDA22B61C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:46.365{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-829E-6151-2979-00000000FC01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:46.363{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:46.363{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:46.362{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:46.362{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:46.362{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-829E-6151-2979-00000000FC01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001041721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:46.362{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-829E-6151-2979-00000000FC01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001041720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:46.346{5EBD8912-829E-6151-2979-00000000FC01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001041719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:46.318{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=182C2F51B8A7A4CE7D76621A0F55069F,SHA256=BD4EE642849235A36B43A112F9543564FA1BE1DFB0E1854F6AF46B941FAF99C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:45.017{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60218-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000971138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:44.898{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63102-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:47.553{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=689C6A69C3AC22F497B0DD875485E0B3,SHA256=8C8CE69E5109BDD1479268F870292F364DAEEBC03F8760181215DC256EB70D46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:47.553{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCD6F0A702B30C778237AFCC674E5B42,SHA256=B161BBA60F0B824B86F6AE49FF4E8712159638CD58F546B437F076E22E16353A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:47.365{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6E2E8FF01AFD79327C8061966D95528,SHA256=DEDE59057724D4720A2A53017EB5F454DA2CBF17073B72C59B0F84825139E178,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:45.855{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65227-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001041735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:47.357{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=052955D4A09AFB400E01C9B81FDE28C8,SHA256=9D4DD37FE6E47C2EEAE29A3B8D1AD2197C00AC6B1DCAA27BAC865F1CA1D05AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:47.353{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D522849B031EDBAD5D865E6BB2C21B9C,SHA256=3707D19CC5C055C19D0AB238AECAFC8871A6DBE62C0D7E113C87E57ED4CCABB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:46.884{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60649-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:48.534{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDC696F8DF33B7A31F4817671D65369B,SHA256=D121D6C2B2C034E69040960B3D4715124D3C061DC6DDB01289CE40BE424A793A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:48.369{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6450C8A59521A4F7B3CF1F7B3F3325AE,SHA256=C906D6BB01FD5A6E4EFBE01BFD4D114C3D2FB139CBD7A6EDA3F480E235BD84F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:48.381{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB4E6D0A035B701A24427CB48BBA519,SHA256=F65B7EF068294044C55E6C3DEE7D773F70C45EB7AAABFEAD4A9693BCC7FDFDE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:47.066{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse122.155.197.221-56893-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000971144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:46.870{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58965-false10.0.1.12-8000- 354300x8000000000000000971143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:46.642{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64348-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:49.381{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=689C6A69C3AC22F497B0DD875485E0B3,SHA256=8C8CE69E5109BDD1479268F870292F364DAEEBC03F8760181215DC256EB70D46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:49.381{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A5DFDBC7903BA21A62D814AD39AEADD,SHA256=FB847724139773DC1AF7E92C1A17A989F164E116017BBB99B0C7DC341F8D9F3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:49.400{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=910A29A4105B45A371F777803B41A021,SHA256=7D74230C01252628C97D6B483509AB1E2C2F71E54101B9535CC884AA6A2218FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:50.600{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86E7656A9A5B9C0F91A9D8E9F8D78A9A,SHA256=0FA305D2A05B7E27BE49D26D752E4F54A478A1A29619D5D1F53A94ED6B376DA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:48.579{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse122.155.197.221-57061-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:50.718{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9C602C87D10102F4BDA550B1E3F788D,SHA256=14AE88389259A5A054B8E32132F38D679CC711B183CDCB78F64A57BA97B68494,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:50.553{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DDF4DE11AC56E2132C6543E6EE3C54D,SHA256=2CC793722D155043BA0B8CBD7982C26C888396776F2E8203119176882C6FF655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:51.834{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDA8738CA4ED7BF69BE770683287FE47,SHA256=95C494B8F7CBCD7A7145D326DACDEC7EC3EDD39C8590252473219EE9956E09D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:51.586{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0D99316AA3F89A5E27F7C2ADA0B044B,SHA256=D3B25437F8C3D4D50A7012C5DB22C48AD2A5748D9D3E80A532BDA418810D58FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:50.860{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65228-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001041749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:50.723{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de50174-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:52.589{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3360154521432ECC3D4BF2C6ED3B8270,SHA256=E4D67A339799050108967C2D2883AE3C1BAAAC2AEC6D02D613099F61E184D0AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:52.161{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:52.161{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:52.161{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3E-6151-3C78-00000000FC01}6364C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c869|C:\Program Files\Mozilla Firefox\xul.dll+e4dd0f|C:\Program Files\Mozilla Firefox\xul.dll+116feb6|C:\Program Files\Mozilla Firefox\xul.dll+e4959d|C:\Program Files\Mozilla Firefox\xul.dll+e31230|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f3b4d|C:\Program Files\Mozilla Firefox\xul.dll+177e8a9|C:\Program Files\Mozilla Firefox\xul.dll+1bb4c30|C:\Program Files\Mozilla Firefox\xul.dll+16c2490|C:\Program Files\Mozilla Firefox\xul.dll+1d25067|UNKNOWN(0000026DBAAE7C24) 23542300x80000000000000001041751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:53.706{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=335C0D7DFF203397FC2D210C51548C49,SHA256=90FADBDFCA673FF17F67BB124D1269C849B56D26234B189DD3E38ABEBD428DF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:53.068{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE129F91CD6C4EEFF4B2A6A956690B42,SHA256=C8CDFE4E1A26EE4F678CB1FF9D356AE0C52307DBF59289FBDADB599B1C6D4D19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:54.715{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E39A5F280564B09FB10E47F29F832C6F,SHA256=F5D2221D03B0114296F86895E4FE6ADC9E7AFF76FCE9A63CE2D1638C6528608B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:54.568{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=344BCA5673354F9AC19F1F7248683835,SHA256=3A63C74D4E165BF055F67A78A6F7F7557458A473800F0AB7BBB330E69B2F3055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:54.568{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C7BE4CC605231E9F7B0AA1EE6F9404F,SHA256=85C93599599E5AD128924539D2D09C0CB659BFDB51BB448E28AC720BC495E0E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:54.131{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B174732760B4DB46BD9E33DFFBCB978,SHA256=C7D86E5E4744F8FCB15ECC2629AA8412892C876F3CDCBADAA8864D3A029A81F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:50.944{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63846-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001041762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:54.687{5EBD8912-82A6-6151-2A79-00000000FC01}16287164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:54.503{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-82A6-6151-2A79-00000000FC01}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:54.499{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:54.499{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-82A6-6151-2A79-00000000FC01}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001041758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:54.499{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:54.499{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:54.499{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:54.495{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-82A6-6151-2A79-00000000FC01}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001041754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:54.483{5EBD8912-82A6-6151-2A79-00000000FC01}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001041753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:54.163{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3E-6151-3C78-00000000FC01}6364C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c727|C:\Program Files\Mozilla Firefox\xul.dll+8b9000|C:\Program Files\Mozilla Firefox\xul.dll+8ad3ed|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001041752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:54.015{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCF0CF9DB1B59AC3A736212DE037E7CA,SHA256=2724D7D3E878EF0D0186311D2E4281118B5B1C572C12C0D8D3933EAA2A76FCB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:55.725{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A4C3625D61C3E3AA5FC2583E194F8C,SHA256=0B376E12A3401E86191FBB7F97A75796FCA1D48BABB5537F671B561557945023,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:55.162{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1511D7FA077691743F12C2CB49499405,SHA256=44F5E722A3FF44BEC0189F48C310E9389C3A1F493F6C37FFA50ACA4CAAD7D6F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:55.697{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-82A7-6151-2C79-00000000FC01}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:55.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:55.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:55.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:55.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:55.697{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-82A7-6151-2C79-00000000FC01}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001041775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:55.693{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-82A7-6151-2C79-00000000FC01}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001041774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:55.682{5EBD8912-82A7-6151-2C79-00000000FC01}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001041773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:55.501{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B212763514A15AB17433218705CC76F3,SHA256=51AEBE36E3410537765B14728971200BCA3BB2AF2270B9C384E7C67404C32DCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:55.425{5EBD8912-82A7-6151-2B79-00000000FC01}54605764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:55.168{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-82A7-6151-2B79-00000000FC01}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:55.168{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:55.168{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:55.168{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:55.168{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:55.168{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-82A7-6151-2B79-00000000FC01}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001041765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:55.168{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-82A7-6151-2B79-00000000FC01}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001041764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:55.153{5EBD8912-82A7-6151-2B79-00000000FC01}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001041794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:54.212{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65235-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:56.734{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A956D089B756704DDD10DCD1B1727E82,SHA256=BC80D8F4A2D158D792286413200BE6088AC6B377555E235C678B6DEA12B86097,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:56.381{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F94FFA3A04F4102C60FA4A8CC2B602,SHA256=1DCE4F8AA94B4DBF0B9B5CA7C51EE2B16077F7CF1C3CB071C0E774542FF092CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:56.690{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8FF3B3BDB3953A53E842177FF9123B5,SHA256=E4EDAA0F220F5E11AE4EE38D610806505B752A929779EF6F002C540D20DDE837,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:56.546{5EBD8912-82A8-6151-2D79-00000000FC01}9441824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:56.378{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-82A8-6151-2D79-00000000FC01}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:56.376{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:56.376{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:56.375{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:56.375{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:56.375{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-82A8-6151-2D79-00000000FC01}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001041784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:56.375{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-82A8-6151-2D79-00000000FC01}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001041783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:56.358{5EBD8912-82A8-6151-2D79-00000000FC01}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000971154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:52.777{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58966-false10.0.1.12-8000- 23542300x80000000000000001041801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:57.739{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E892618DE4647386AB15A1B126FC594A,SHA256=5E3095020B2A273152E889D5F5506994E76B157920B7E58EDFA85F8E282FB29F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:57.459{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=783EA0F7AA797CAB5AF7A001F9B5B1B7,SHA256=605406ABB67F48D06259DC6F582DC172B68B381B0A65003DA27E17463F56C0A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:57.703{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=4EAEB2282102BC519BBBBAAF9D8E30DE,SHA256=45B1397CDFAC592283706F2329ED973425FD204350AE8514989EB18AF2052F8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:57.703{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=D8828E017A2CF6FFA87971551A775F2B,SHA256=D30884A44B8A7C8CCC716CB3AF4B766F3B06FB6FD6AD6FDC12C32246E628115C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:57.703{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=448B6687870EC600DAD412DB489582CB,SHA256=9CE71B76E2A2D71D79E1D9FEBA20A21FEC443B2AF0179EB75EA82B528A6849BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:57.699{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=6D850490B4A1A61A3500981CE44C71C0,SHA256=5D75D7B5756D44F23439C59B01D89DC5A76FD8B5BA10694BA15FC961634E8826,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:57.699{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=8E9916FAD7D33A362B9640D9A86F07DB,SHA256=5B3C93F7E75098B7C59CEDDF32F74BAB39EF00671D3F81E45CE8E7218A84EE37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:57.699{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=3D068B1D14F8E6F12A036B890B36178D,SHA256=27494D11A68EB79F13B9138503EE535B7D0BC462F610848CD8CC1D3A2AA9903A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:57.225{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=344BCA5673354F9AC19F1F7248683835,SHA256=3A63C74D4E165BF055F67A78A6F7F7557458A473800F0AB7BBB330E69B2F3055,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:54.392{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49658-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001041803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:58.857{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E1A96D5C94AEBDB070F7BD1AF286313,SHA256=D7CA27291BA9BC5653A0E28BF78D7C4B216F6C4EF42095BE2E8392C445E524C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:58.475{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2AAA36205CF633428638E91A12A6547,SHA256=FA8D74C654FC9F6242904D858EA241E681B4F6AAA189F83ED47370DFE8B3D3A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:56.826{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65229-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001041804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:36:59.858{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCD696D36004763978997E792589D74F,SHA256=A702550AA35C18E3498DAA9E588E85DECAF6C49BDB71A10ADCCAEA116903F65B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000971170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:36:59.787{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000971169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:36:59.787{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fae4cb4) 13241300x8000000000000000971168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:36:59.787{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b372-0x7465672c) 13241300x8000000000000000971167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:36:59.787{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37a-0xd629cf2c) 13241300x8000000000000000971166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:36:59.787{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b383-0x37ee372c) 13241300x8000000000000000971165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:36:59.787{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000971164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:36:59.787{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fae4cb4) 13241300x8000000000000000971163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:36:59.787{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b372-0x740e686f) 13241300x8000000000000000971162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:36:59.787{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37a-0xd5d2d06f) 13241300x8000000000000000971161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:36:59.787{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b383-0x3797386f) 23542300x8000000000000000971160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:59.475{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7F084B2201EF8CDFF5C43576CB81D5A,SHA256=E6E59BF904676457E0AF6E215A215957B333AC9B2B3218F8FE7C447617D7FB1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:00.881{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDD7965B32D2E9664E5C6541C043FDBA,SHA256=C3474AFDE8A5FDA4082B8DD71EC3162C7DDC43BC409499B6CBC63C4C8DB23422,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:00.491{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=395E6575482712B379365F2DE6CE2E15,SHA256=BAA00E23D6472985A4AE23173115AAAD11CD26B3FCA854EC7722065CEBA914A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:01.908{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA74616FB55367486637F57D39C980C,SHA256=4561A36338D7BDDEFB4C1DB8CDC2BB38661A05E19FD634BF364F797DFCE647DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:01.506{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB9FA8D3414687F0E21D8CE708A7878,SHA256=C28D6D4A28BDE1CD4A10155F7EC0B47951025717502E64610F09ECA8E3F5BCD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:36:58.761{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58967-false10.0.1.12-8000- 23542300x8000000000000000971173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:02.511{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0219821ECE8B721055E01A3E073CB98,SHA256=9E7173639B667FD06878816C5AB9C1078B117D10E2A45DD80041A8547B67AFE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:01.152{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-50568-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:03.886{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=043E44E92EDCAD1B7731F9F7070A1E2D,SHA256=CBBD4D44D51436CD6375388BB5C394E8E778CD221E9F92DA7191AA5BFEFD3E38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:03.886{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD0A0E872139DE350C533557FDC0654B,SHA256=DBED0D1DC63D74D315F0B49FDF70F8150F67392C7C17D4AEEEFA70CB9A18C34F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:03.511{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD569D80BE43CB449CD2BED9F69A3B0,SHA256=70E54B743B2341460B1DC78535B96B785E177EEE13B0CDE8B20254D1384B8070,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:01.931{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65230-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001041810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:01.678{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60279-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:03.292{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=715185686C3F385BD3B9060B516030CA,SHA256=C18D755863E7552DB5235714BA7450DDCC911FF98505D833C35E172D5F6449A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:03.289{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A083E1026C40276D186878DFFF37610E,SHA256=372C21EB096EB06F18D6675ABD471048799EEF78A3CCDEEABF6B5004DE918D56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:03.125{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1D3B57F1F0C4585D2BB8DCCB2BA28D,SHA256=704F961F22156610013B61EC1B56F53F88BF2B5D350A69C8F11AFE736DC5209F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:01.932{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54386-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:04.526{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=811AF848C5A7E8EE22FE53BF98BF0210,SHA256=12B5D7311FFAC4EA30968756B09B33DD189B4B28738C3EC0686F052234982551,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:04.207{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E7E9A27A4F8CA6F34B5CFBEE7DDDB16,SHA256=C6689E3EE9DA11C12D89689A1F02CB315D1645AF0E7CD3C78CFC711FDB697E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:05.542{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58FB639B6F10977017EE9E4E0BF82B79,SHA256=152747AA661C5D8A2242BB41AECC51D25657D64C6FFD7CEB1FC9037AA1CAC141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:05.351{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B05C95B023C61181C279D7F795E38244,SHA256=13472412008DB824ABFEFC55298F238524D5B99FB28F636CB7203C5700348C6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:06.557{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD4818D2EABBB9A014AF3665CA425D68,SHA256=1BE265FE919F8A3AFEEB68A2CCF615A550159C55E574DB850B042DF342F90918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:06.378{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B318B46352DBE16294B6B754D2AFB76,SHA256=A01675058CE7915D3561E2674D0A5CF95ED17F783153DD25CAB9E9C7B0243337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:07.573{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C05C7638E73E46589B589BC027A38F6,SHA256=3980390F80585F888D4C0B83489007A0B36EF15E3C59F3DA32178E8FFF970E9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:07.392{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=657FA0B24B9B4FB884C0621AE6FF5E52,SHA256=70457FCB2A18DB96D1B3A63FE6BB40C09368777A27091EE495B8BCAC901C4142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:08.411{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92CA1E18423D099452E3D4957072450,SHA256=90C1BF31779B7C912582CD3F9F9FD4C5CE38E15A120D86DB71D364B7E8ACF742,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:08.589{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49BAE338CC438FF148FD0F38988AF618,SHA256=782B3BDA03797E3C3C10701F00B61099AD777AD825063E763466A2296FA238F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:04.750{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58968-false10.0.1.12-8000- 23542300x8000000000000000971189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:09.604{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D696D71DE1F256C8DA5B3C63DE8335E,SHA256=C3F140FF3E965187BF975E59A93F404D451F50B0E34F3440E5E2DD0930A52044,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:07.922{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65231-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001041817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:09.430{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C6358BDEC5EAE9D0C09459D7F36F516,SHA256=1ACD8CF6C4AE48EAF9D44C07DF594D6AE3219E56B9D5B9354D728A0BE0899C99,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:06.275{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-63184-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:09.073{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1526300F33A14A02F65CBF57ACE8AF52,SHA256=F53243B676CD595EAC7805DABDE58DCF9FE6289723C8CE7683E849E6ADE32753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:09.073{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=043E44E92EDCAD1B7731F9F7070A1E2D,SHA256=CBBD4D44D51436CD6375388BB5C394E8E778CD221E9F92DA7191AA5BFEFD3E38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:10.807{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1526300F33A14A02F65CBF57ACE8AF52,SHA256=F53243B676CD595EAC7805DABDE58DCF9FE6289723C8CE7683E849E6ADE32753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:10.620{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A49EBC3FF7703E4D9D3CD909F0BA5A2E,SHA256=7BBBA13495D63CC49688E707B0B6C6A73CEEB6141F1F2C7B55B01A7A2C94A815,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:10.431{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D314CE47CC4A535EC628FEE1B30774,SHA256=D26E10EE5B69F5C8F728ADB272A1C0D445B1B71270A0E2C394E493CDBE95256E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:11.733{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4274MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:11.621{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F562BD88B9C256B17A2DB7D88D1C378,SHA256=1708CB997A7132CCE21406F9961BA6ABAECE8FFC18CDAE3DD1561EB2668E72C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:11.510{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8450F98AD334351D1097BF5C112CBC2,SHA256=44C499E94C02F00E0DE0F68884419A417B8F6B41FA50948AD7021D853EEFEEC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:08.114{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49454-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001041821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:12.529{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26628A17AC8F4739379E0F601A704900,SHA256=C296D2A0E5B9874E9DE2CD0D2F7FEA23928BA6B1C19BFBDDC420A4DB370D8D00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:12.935{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:12.919{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=4D99A3C0B91D282F0F080F420FAEF8BD,SHA256=10ACCEB01C29EAEA46365D41BCA1CD1A6C591EB31A878819C8B253219D3FAAC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:12.919{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=9FCEA442CE8DA25FC1FAD6B18493D62D,SHA256=F9823B721A4484C23F15EBAEEE678B55CFF564FC4139C45C7E3A04CDF97A2507,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:12.919{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=B334325BED8E5E50C757954D961D52B4,SHA256=57A205670EDF794B522C3EDB58F1F2906558A1746F01F6366735FB8049F5E994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:12.734{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4275MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:12.623{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1181ACC2D215A78E53CA1ECA940C3CC7,SHA256=D6851537D32A569D3ED622E8B612131D7A1C4661E1C2932212F6E3E3413788C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:13.544{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC76A481A2C0765930FF59BF2997F9FC,SHA256=794540275E3F990C6471B8EB5AEEF61282C055413DF82AAA3A68D53249A7DD5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:13.624{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1691BEEEDB5AEF50E853CB7266E0B3D9,SHA256=E6F603DFF3328CAB62C033DB108B1F38B1CC6EF7C4E18D963848F1CE41D1A5F7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001041831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:37:13.529{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001041830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:37:13.529{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fae8681) 13241300x80000000000000001041829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:37:13.529{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b372-0x7cc4a4e5) 13241300x80000000000000001041828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:37:13.529{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37a-0xde890ce5) 13241300x80000000000000001041827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:37:13.529{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b383-0x404d74e5) 13241300x80000000000000001041826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:37:13.529{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001041825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:37:13.529{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fae8681) 13241300x80000000000000001041824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:37:13.529{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b372-0x7cc4a4e5) 13241300x80000000000000001041823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:37:13.529{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37a-0xde890ce5) 13241300x80000000000000001041822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:37:13.529{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b383-0x404d74e5) 354300x8000000000000000971201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:09.797{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58969-false10.0.1.12-8000- 23542300x80000000000000001041833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:14.575{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E77FD763C05B049EBC6D1F977904D41,SHA256=19CEE644333073A9AA5DDBD675D8A24E832774D07ADA7FE5E7DF19B419858F02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:14.640{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FBF2A153E69910FC49E7A0E1BACD5FB,SHA256=60999AC7B626A2DF88010E9293F4BEA9D61A6887D1FEB068989C1808150C09DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:11.566{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58970-false10.0.1.12-8089- 23542300x80000000000000001041834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:15.609{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B1F3AC12FA9593BF97880772A9F7236,SHA256=2BFF17D7254CBBC9C5B171EB356144E3D32762420BC493BDCB14F45380DEC7BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:15.656{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A31122C2DAF7BCE63962D7D89E90890,SHA256=B160F7F0D28510C30E43B5C61AE2695CAFBE7A6A99572410C30B25A3F019C721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:16.711{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB38830E533A1F4BC0D710749EF0D99A,SHA256=0BD8EAE8A222ED6E68EAA88510C9FB6FB38CBDA0DF5A83F21A154D4CF934134E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:16.656{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80CEDDC4BB9011661F487958DE660698,SHA256=D4CEC898EF3202D2D9359E31A04F6C16230E2E4BB324B54F4AE105975283AC27,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:13.851{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65232-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001041848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:17.741{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5581734C0BEEE8F72A1CA3C28AEB78DE,SHA256=CF556B3DF12F7B470BF60B82A8CF2F751460AA86AD4FB1C5A8BA813345848C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:17.671{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=125B74742BEADEF8E3F5F092825E3B8B,SHA256=8C97689AFDB92FEF4E5C919852DD833648931E6DFBBA3EAB45E1C42C2978E87D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:15.681{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65233-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001041846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:15.681{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65233-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001041845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:15.307{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62127-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:17.126{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=D54098CDCC00B19C23A7689AFDD3DD50,SHA256=F948061013BD01B7568D92992E945E511C0B7A601C73D2A95C6F02C0A26CDF8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:17.126{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=E7637E300993EA466C29B63020FB8626,SHA256=E0B0F4B123D0D3EB835CCAF0799EB8F054FC8C2221BE994BADAB259DF6C506EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:17.126{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=4BF249D6ED6A5AB4BFE4B227670A2960,SHA256=978C3D85F31688D2345B14C19B2ECC5597A43D03E1344D729BA7A1A4EA1ADC0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:17.126{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=7DE666698A14474F46035A84BEF2390B,SHA256=704443FE04E6FEB5C619F93E13DC7103661A2F7FCF525B9B120340612CD0908B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:17.126{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=59BFB6FE9BC0121CED7E68B074CB64D6,SHA256=5E79F794200BA039CEEE5233911E056FB3ED40143F243DE4734D029E9F365106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:17.126{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=0F661A3C2C26A0846179CE63BE7F7724,SHA256=5FA85A78BC7720B8003D5AA685B964F2DB22A55D2EF67B273CDE367960CFFD44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:17.010{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EFCCD6875C32494AD423BA9D82A8D52,SHA256=ED0E97D859D9C010ED61E712E7D438C3671018BE2C8F67ECF5D79F0E693B912C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:17.009{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=715185686C3F385BD3B9060B516030CA,SHA256=C18D755863E7552DB5235714BA7450DDCC911FF98505D833C35E172D5F6449A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:18.771{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB26E805CD3A029004C482F2FA3C2509,SHA256=5885A7192D5FC98E0DC8AA2C3625DBBF6A294CE8FF52ACD411EFACB49611347F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:15.754{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58971-false10.0.1.12-8000- 23542300x8000000000000000971208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:18.687{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7032C4F72D9E71EF798FB40E0A39225,SHA256=AF5349E0290E1386C8B07A1104C954151812B510B8B879F79ACDD40EA477F296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:19.805{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB3C0A828729CA532627A0608E0E955A,SHA256=F0CD0385ED36330F8EB5BA90E8D1FC8FE9AB0EEA221A6FD755103BFED2FB771F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:19.702{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5CA9EE3DBE90467CA7480E85C26F9BD,SHA256=5AF571EEA45085A042767C3E57F77D1E3D5D44754F2D5D358A22A2737A3C4C6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:19.605{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EFCCD6875C32494AD423BA9D82A8D52,SHA256=ED0E97D859D9C010ED61E712E7D438C3671018BE2C8F67ECF5D79F0E693B912C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:20.823{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01517602536785DAB1656B1F7B693295,SHA256=5FC6B076595D8D602608F06E278DB71C82AC71FC3DC1D2D553234110669CF80B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:20.718{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A1231359252760E5E7AA4BF3B2D3756,SHA256=7C8F17EB57B9C1EE5D8BAC4746CB9A904EC27791B386A977AB32B1030CDEE1F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:17.989{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57856-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:21.904{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78B20137E86263CE7771BC9CF7C2CFFA,SHA256=714761B54B81D1064962E883950A9DB13B002994B958B495465E7C5C1DA03CEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:21.746{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D747B65BD9D04F5E1CDE38D885CE573E,SHA256=861102D39F8CD5903390A70E29AA7D730D6A8270B01D94C7AE9416BF2107B385,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:19.636{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59090-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:21.285{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3EE34E9DDA88BCCAD24CCC9AE080F55,SHA256=85EE53ADBE265FE7C734D39E19580E80A7FE7B37F3FD01CF831C1641BEAD0355,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:22.777{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE17F9DAC18DE55EDD428EE630F0E39,SHA256=22D1B9DCB6DF58D42827CC23C672F7F0D2A4C60839CA5E362551D264EE00BE4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:22.937{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6962CC51C54758C1CFD246D2719E78,SHA256=DCA2C376E7353328AC18F770F5712DAB2BD90962A765AAF0D5F2BB8410995108,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:19.793{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65234-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000971214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:23.996{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F680709B1C9D871665E2F9266B7FCD,SHA256=CC179285259E441F74C334F3343611FD030BFB35C42200B83005F4F6A61B3C93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:23.967{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E371C4DE00638D015CDC48701FA79407,SHA256=9A31F5F58EC3FE6EC9482C2A2793AAFB05AA5CA682822305E0F55E6002C7AA53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:23.483{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E535356EF258BB2AEB8863AF96144B6,SHA256=9AA731500187C670971D9B7A1F5CDF8F8CA430B74BFAD0ECB3B169F0A094419B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:21.606{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49729-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000971218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:25.902{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D937B1BB7B89E0BC259F8370D10FF502,SHA256=3F8060CA27F22BB75DF557AC39A23580E9A05CDF4BDAD4F8816D839A7A3FE423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:25.902{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAF0021B39FA7464D73A0CD2D875308D,SHA256=12908705DAA4A5A71CD0B8AC81812DC4390E43B19C06035CAECC20997243F258,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:21.735{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58972-false10.0.1.12-8000- 23542300x8000000000000000971215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:25.012{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B537689E455CFC3A2F92F91085861D3,SHA256=D845C66A6397A1DA5B8662A76D349267569501B1A95FD030E2276A9536561F5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:25.035{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C997D092F0CC059B5D6A0DC53FEED6,SHA256=1F18C52591405BE5227542715CBFCED2E9F7B1AC414CF3ADAA8D6C408BDAB497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:26.935{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D937B1BB7B89E0BC259F8370D10FF502,SHA256=3F8060CA27F22BB75DF557AC39A23580E9A05CDF4BDAD4F8816D839A7A3FE423,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:26.886{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-82C6-6151-D178-00000000FD01}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:26.886{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-82C6-6151-D178-00000000FD01}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:26.886{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:26.886{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:26.886{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:26.886{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:26.886{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:26.886{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:26.886{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:26.886{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:26.886{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:26.886{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-82C6-6151-D178-00000000FD01}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:26.872{69CF5F33-82C6-6151-D178-00000000FD01}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000971235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:23.531{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58973-false10.0.1.14-49672- 354300x8000000000000000971234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:22.890{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51278-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000971233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:26.386{69CF5F33-82C6-6151-D078-00000000FD01}8922544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:26.199{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-82C6-6151-D078-00000000FD01}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:26.199{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-82C6-6151-D078-00000000FD01}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:26.199{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-82C6-6151-D078-00000000FD01}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:26.185{69CF5F33-82C6-6151-D078-00000000FD01}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000971219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:26.043{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B7C3DB212C18CB8B4D7327E3B15A28F,SHA256=44450057EC775EABAE72418923F25BEFFBEA33CDC00736813E84F632352D6A52,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:24.587{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-58973-false10.0.1.14win-dc-429.attackrange.local49672- 23542300x80000000000000001041863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:26.050{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F75B81B3B594E8FB90020A28809505,SHA256=D6F0560780EAF27546F7CE1B3E5808DF34005DB1CBF0666C56D4647614697422,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:27.574{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-82C7-6151-D278-00000000FD01}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:27.574{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:27.574{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:27.574{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:27.574{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:27.574{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:27.574{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-82C7-6151-D278-00000000FD01}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:27.574{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:27.574{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:27.574{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:27.574{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:27.574{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-82C7-6151-D278-00000000FD01}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:27.559{69CF5F33-82C7-6151-D278-00000000FD01}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000971253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:24.494{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de53122-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000971252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:24.261{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63296-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:27.371{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE3F6C46377EF3C6014B9B58D87E3A8E,SHA256=AC41AE5DB077E8137A37D9AADFD64B2E4C720FA8853D29FAA063DF73436A31C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:27.917{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF5CCB8DC9BDD7AFDD8029DFE5F6EA97,SHA256=83FEBDEFDB16C672FA6FC97D88D3A0DE826D1E37BAFC3A73492700DC56E83396,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:25.315{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51986-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:27.099{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0868CDF76DFD4402E81ED30739D91508,SHA256=F5C65675E7C10F4F5BDB97EE4CEF0525EE108D9941036F52ABA67BEAA76CA8FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:27.090{69CF5F33-82C6-6151-D178-00000000FD01}22683852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:28.958{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-82C8-6151-D478-00000000FD01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:28.933{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:28.933{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:28.933{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:28.933{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:28.933{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:28.933{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:28.933{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:28.933{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:28.933{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:28.933{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-82C8-6151-D478-00000000FD01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:28.933{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-82C8-6151-D478-00000000FD01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:28.934{69CF5F33-82C8-6151-D478-00000000FD01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000971282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:28.558{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BE0AFFC75B1D3C68D1B05234BF09243,SHA256=2E041645BBEC725DE3239211498520F844E0809BECB870071AE4780AF6134134,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:28.497{69CF5F33-82C8-6151-D378-00000000FD01}2636592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000971280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:28.497{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=280732C42398C0119106E18ACB43680C,SHA256=C9EAD5142947737F1BFB9D691D29B38398BBF8CD8DDE6B15BEC54F44E7537846,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:26.078{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse39.103.226.77-61143-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001041869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:25.774{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65235-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001041868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:28.164{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ED5B1658DD30205BE1B2C4E0309AAD4,SHA256=647382557DCBA73BB5CE53A65B6E4DFD0F08E0506425FC9B7B015D14BDDC95C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:28.262{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-82C8-6151-D378-00000000FD01}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:28.262{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:28.262{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:28.262{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:28.262{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:28.262{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:28.262{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:28.262{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:28.262{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:28.262{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:28.262{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-82C8-6151-D378-00000000FD01}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:28.246{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-82C8-6151-D378-00000000FD01}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:28.247{69CF5F33-82C8-6151-D378-00000000FD01}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000971312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:29.949{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=563519F3F42711EC98A72235C7DF20CA,SHA256=49A6C23F12E16B3BFCE989AFCB0902CF26AB045242A416F699C8BA35F12938C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:29.840{69CF5F33-82C9-6151-D578-00000000FD01}2844012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:29.636{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-82C9-6151-D578-00000000FD01}284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:29.636{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:29.636{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:29.636{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:29.636{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:29.636{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:29.636{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:29.636{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:29.636{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:29.636{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:29.636{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-82C9-6151-D578-00000000FD01}284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:29.636{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-82C9-6151-D578-00000000FD01}284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:29.622{69CF5F33-82C9-6151-D578-00000000FD01}284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000971297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:29.543{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A10E7DDE7FA2DC7A97C7B92E458DE34,SHA256=092BF0E2D8581EE5F9943D34E430AB1F9D138545E046F1E625DF0A3A1C05C97B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:25.965{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64502-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001041871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:29.164{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3C99F9F6DB5F6BB0CEC6A36FF267156,SHA256=CD03B51AB27685EEF7B616F936102B02D774DDEE5766E56E0F3D0DBF8289CDDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:30.730{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F8E3714FEDC737AEB5B378274A2B332,SHA256=66861D008B6B3FB1EA33CD7C70222F36ED158889B44921B718FFB9F9F5A0E41B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:30.279{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DF7FC35B80AB001CE0ACE429B0665D4,SHA256=9C2A5B80563CE61781223336838BFAE6EE98DE0CA69EF2E21CD284961D9C55CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:27.722{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58974-false10.0.1.12-8000- 354300x8000000000000000971313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:27.701{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse45.141.84.54-23406-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001041872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:30.117{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD619FAB8BDA17F8CC1A3AF41293AB90,SHA256=625E3917C49C467F1A498B50A227EDD3E300D3B3E443D86D0D1A088A80AD4B2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:31.902{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CF4195053F884E0D8345D65E20DA93A,SHA256=FEF049BE44E54C1554CA15D71DE7A5152BEC12102A9BB8921E7032072CF33198,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:31.824{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=854495122735B17929320D89CDDB67A8,SHA256=7EC555C19CB1C713BD47DCC68BFE5F7EA336A4538F581A79BD0B15986D8BEAC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:31.296{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F593F33576B33888E04E686DCED9701,SHA256=B30AF48E14A74C36CDEE680D31C5FA117206882218B7B58B6696EE07D25EEBD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:32.824{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D22DF34E480B29E4D0D02291CB278B33,SHA256=82D2278797316978A290B2FDD4E70A85606CEEDD92BD59054FC4C7870E4D2DFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:30.910{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55638-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001041877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:30.839{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65236-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001041876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:32.745{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3BE7C99A4B0050D5104796E13DF878E,SHA256=6E64A441B7728D5648A6C034359C3040D740E5A29BF9B237CA0AF4AAE61B9D65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:32.315{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A98E015EEEC8A2306927705EEF79406,SHA256=18BA737D971D87B3AA72939BED541247BCABDE10B6956ED7A4B5E2245D498E42,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:29.162{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55198-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:32.277{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=ECD310B6C1BB4B7CD38D457F54065713,SHA256=A39407942F65D8AD511918E9297D8654188BE8AAA464671D57C969E9A0BBE6A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:33.840{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21CA47D2C3638F00B057F2413CE420DC,SHA256=B09B68B9509D83B8464CC017E33A88C4E5575692EF39A11D56D79B7C1FBBB0D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:33.329{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC6F514CA121D02A106E14CA872E80E,SHA256=009C4B845D3880A877C8EE5C87B00DDFFB96CF0302B20FBD92F4504E80FAC88D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:34.855{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A58FBB1C46162308831E82310025C991,SHA256=E995E8417C7E1D0AAFA264D251F1643FC8CDBE386BD1F8EFE281CA5CB8109F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:34.360{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFC10D9DA63B731FFAA9155455ECAE08,SHA256=1DC465B745FB7A1C8812FE74982BC59EEEA996CD45E57452CAF463447A0D5562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:35.856{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57AAC8419F1B134073C146DEFD02803E,SHA256=D903F818C6507FB5496C8EAD597DFC9EAB529EE70F8566F365DFEB1AEA514D22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:35.815{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:35.392{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=274180B24AD1A8B68F10887CDD487B7D,SHA256=65F32405F4788EDF0C0746A88EB625573CAAC0055B918C313C0F614BE2B0B94C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:32.926{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse45.141.84.54-3600-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000971323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:32.876{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58975-false10.0.1.12-8000- 23542300x8000000000000000971326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:36.871{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E76BEFA9CC75F5080778BD0CEDE06CE1,SHA256=7EE02D02DCFFB1BC42BA4A343FF053E57302FE9EF52507B70F2AFA7EDFA296C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:36.396{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B79ECCB8F1300EACE2644B78E1258B,SHA256=A67E63D241837187142CEFB71AE34AA328CCE5CBFF1266C7807CBF4819E04991,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:36.015{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=DBA5A21BF29AF021D976C51D7E571185,SHA256=DD9F0961D9572F169D648D361DF3C7B62CF4D790B1BD8866A83CC0E1C4FA5CC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:36.015{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=C491357063217FE3518D65D1E67B3308,SHA256=C89BCB7FF55B7D67A98B5B5BFB055E35E12611065529732DC08D11DAB9A2C950,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:36.015{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=D1536F366A5A0BF40BAB3B9ABACFDDEF,SHA256=40745DF48C955F4401F6E1794739BE661CDA719FD6058CC5BE72C05C88F98943,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:37.886{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9E6B8EE66CCBCC11A80C68F70964488,SHA256=7278638E97F0703F5D5F3380DBE8C75DCE48E8CDE50A705BDE1C300265F4DD7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:35.485{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65237-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001041887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:37.419{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6492A5294424A1658D6CAB77E7C4EDA,SHA256=1024B86CB3F7409C279A038DDD88E099FBC8105A88DA25949B1438994B2F222C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:37.699{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F64403E6E49F9E64A3BEFEB7FD0EF4A,SHA256=311C6531754B3B0EE0A962741364ED51C081EFCA79965D71A8D182E4F318B5CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:37.699{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60383FCCC844EBB3FA4845AAAC6ADD4B,SHA256=FF7350689ECE32D8BB71ABD3DF6F806FBB3B149FEF6C04E84F3943DF2E4264E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:38.886{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F1A1209054864193AEC28F3E6EA304A,SHA256=3EF05D8431A65357186C7BEFB04726B71F35EEDC0F1F9F987A4BF01EC447D86A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:38.886{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F64403E6E49F9E64A3BEFEB7FD0EF4A,SHA256=311C6531754B3B0EE0A962741364ED51C081EFCA79965D71A8D182E4F318B5CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:38.982{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=61667BC931D57E6DEED5AF5EB779791F,SHA256=D4F60C224698AF4A2F79EC7722609AACC65700E3AB49BC33C228FD247DC063C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:38.467{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=837F5E68D0C791C767BB2E70A059895C,SHA256=75C7089F4763BE28A81CC945D884E3E4CEFEFCC6F6AF8B8D5563F0B85454D8CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:38.449{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-82D2-6151-D678-00000000FD01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:38.449{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:38.449{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:38.449{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:38.449{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:38.449{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:38.449{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:38.449{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:38.449{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:38.449{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:38.449{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-82D2-6151-D678-00000000FD01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:38.449{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-82D2-6151-D678-00000000FD01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:38.434{69CF5F33-82D2-6151-D678-00000000FD01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000971346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:39.902{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=056910D9138765DFD0279EDCB102B45D,SHA256=BEFAF6AD3058C6B4EE28D902A4D91BC1B1EF86D9F7BB7E496454C99D0791C5DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:35.605{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59307-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001041892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:39.550{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EAF894B013A6B887605838348E5D643,SHA256=5D6721FE9E57FDCB7B2F380B1B35D85A79B3359E11529A023A033A0C1E57C165,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:36.805{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65238-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000971347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:40.902{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE2CCD9C94E8DDBC5ED8F2CF047BB06,SHA256=9D4E3D5825F7506B2985F262996B640A3AB7D3493388E51CC432666683F31222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:40.581{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00EA52CA8A86854F4ABF7A36E6B1A9C1,SHA256=30D6105FD5F692BC316E8C62792B8C8A61EAB564308D0D30071BE9E25BF161F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:40.319{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A727BBCE9F534C39919839B2ECAC3B1,SHA256=592A87C7D4BA84E04E25ACE9FCEC6587FDF5982D88B4593624C4E3DA27589C2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:40.319{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1FA59CA1BCBB609756C44990C48C24E,SHA256=5104FEDECD39D89C2F4097F5EBF4CBC43A0048E5754CE5D88EE205B7D98843A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:40.152{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4274MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:38.782{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58976-false10.0.1.12-8000- 354300x8000000000000000971350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:38.378{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61049-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:41.907{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93EC34AA75AA7B0CD76CE9E57D1753C4,SHA256=FD928C5082ACC3C9A8F7E542640977A81E5E15077CC5F3AF36480B84C76D9DF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:41.619{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A727BBCE9F534C39919839B2ECAC3B1,SHA256=592A87C7D4BA84E04E25ACE9FCEC6587FDF5982D88B4593624C4E3DA27589C2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:41.603{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D320AE7549B0AC1F3DDB9428BA0153,SHA256=873DC45C3FB54957AB63EAA583EFAD2253192DF20CD15AA4160BCC2C27132215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:41.183{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65D63DCCD8AEA69F1F9289E2B588C34D,SHA256=81694299B5ECF1449BF46982EE1EF7E631D62AE6D746702225D93A11D3C4DBE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:41.151{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4275MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:39.337{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60974-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001041897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:38.640{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60535-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000971352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:42.922{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=231B11FC1C47F4BF3B68CC4E4FB3006C,SHA256=BF45C3C2EB630AB28C52D6BB57E2E39F33179381571566EC17980A6BB1A49263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:42.881{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=717326D96A137876D18AEBDD8AABBFC1,SHA256=94C11A84896B220C5B6734F14DC9FCAF24006D828C02A90931A54F72008518B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:42.618{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8967AC3E2DB73C93531C91C6C3875D46,SHA256=9B88C53B06F352ED5F3454DCD8B3325E53F3C593568DD970207711A62DE6AF3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:43.938{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=562FE7D4C56B77CBA996FD78CD44B5C4,SHA256=46CF176E0418C4668B6307EF7A533E6BDCBA55A8DACB588FA1286538BED9CB78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:43.649{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=062506BBE2C892D89D3548C98049D1C9,SHA256=CE0A1118BBCA81C5F535CC7DD83B42CF25CA642C8AB1315656EC952DE6429413,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:41.234{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60492-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000971354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:44.954{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81224E0D56C261FADA456AEB996F5166,SHA256=E48F24D038C400DCE7123922513AFEF464476D71555F9CFD050581326DD17B12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:44.664{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E72AA82E844C8F3E74926BA26D36289,SHA256=9C206FA78A8E83784196351180F4F65CB54C70903BC1AC62CC2A911C80EAA2AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:41.910{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65239-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001041925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:45.992{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC1FDD7BD98F6F38518EC63EDE5A127D,SHA256=88A0A07164A33E6A0193412D3F4AB9E26DD6083690FDEB2403701553A91439E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:45.701{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-82D9-6151-2F79-00000000FC01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:45.698{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:45.698{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:45.698{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:45.698{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:45.698{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-82D9-6151-2F79-00000000FC01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001041918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:45.697{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-82D9-6151-2F79-00000000FC01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001041917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:45.681{5EBD8912-82D9-6151-2F79-00000000FC01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001041916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:45.680{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63E26D4B86D8FE29D0A485B8DC6842E3,SHA256=D8C26BF2CB1159DAAB8359C3B64A4DAFB8FBC2B1EC1AD3B00C14A77EB0D8C9D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:45.954{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D8D5D777B0B1742187A5F1222546765,SHA256=906C3C16A019EE1143A3DAD9AF5207167C5FD06BDA873707B7B1643CFB23D08F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:45.002{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-82D8-6151-2E79-00000000FC01}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:45.002{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-82D8-6151-2E79-00000000FC01}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001041913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:45.002{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-82D8-6151-2E79-00000000FC01}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:45.002{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:45.002{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:45.002{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:45.002{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001041908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:44.981{5EBD8912-82D8-6151-2E79-00000000FC01}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000971356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:46.969{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD2220F7169EFA27DF0E5D34C190D552,SHA256=2AA5C225B289A57C40639F9B8073D6CD909478A13BD89954BE45C7AB678DB5BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:46.774{5EBD8912-82DA-6151-3079-00000000FC01}52041648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001041934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:46.695{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92D86A561F6FB8E55F26E1FB9D93D402,SHA256=F60687D84F792163492EEFE52042A242063C27099C6E3414CF0C38168EA385D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:46.573{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-82DA-6151-3079-00000000FC01}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:46.573{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:46.573{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:46.573{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:46.573{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:46.573{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-82DA-6151-3079-00000000FC01}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001041927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:46.573{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-82DA-6151-3079-00000000FC01}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001041926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:46.559{5EBD8912-82DA-6151-3079-00000000FC01}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000971357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:47.985{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA2EB9B3954BC1C1052D4270639088E7,SHA256=82AE25D16EF6F1EB777B594F47C2D90719CA61A2539A08852EBC364FBD7EC5EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:47.711{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12B23B4A2D3D65F4E9B8CC60ADC3A7EE,SHA256=73F95B19AAE7EE55EA6CAD38873CA416BDAD57B412FC1EFD25F1C74ACBC1DAF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:47.573{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09FB0C467A5323D6E046F4ACE4B7A652,SHA256=79E64D331DEDA0D6C2F1386F3A74B6C3E1445404227BAFA0F09BF15CCF52B82B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:48.741{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEEF7C3DE3212566CAB00A42F7D1C98E,SHA256=E6DFEA811CAB293E7596433326024C6B57FEF95FB4A9994CB14D70593C5FB53C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:44.756{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58977-false10.0.1.12-8000- 23542300x80000000000000001041939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:49.790{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C80794770A86F67EDB3D4D67790CC4C,SHA256=AEAB627451073089943647C63EA0B737E46606283E20760CAC4233111BF5C404,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:45.967{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49456-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:49.094{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B84CBE9D850BD24F88BD9159A1BA104,SHA256=B1AADEA9FE71ABABB0D8F86A071A2856C3A13894CAD2354AFC9F24424F638713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:49.094{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5F4CF6EFEAC0C910F5580D65CE95D4D,SHA256=105EC8AD369CEC012E0CD8289EFDB3AF43EB6F7E8E1F1B39A84021A42BB19952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:49.000{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E01A0AB0E248E4972278AB2E144402D,SHA256=CD5AC9A19B417068004659B86E5F8A76BD20AED31845B89FA55A13047E8CCA47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:50.808{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD28E4FBFCE9CE12C8416B93011EE347,SHA256=D5D4B673995879FF3AD6A5632555BEAFAE03DE0C1FB279154916A9B93B940827,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:47.602{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49568-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:50.266{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B84CBE9D850BD24F88BD9159A1BA104,SHA256=B1AADEA9FE71ABABB0D8F86A071A2856C3A13894CAD2354AFC9F24424F638713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:50.016{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825B1822BE4B241F3FCED6F1727998A9,SHA256=9FE8F052792F288E44FF6E934FE35D8279D9AD0989EA4F796BD223F4E4D5ABD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:47.817{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65240-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001041942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:51.808{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B20BA698CC6A924AD45B4F9B50447B2,SHA256=6D2165242514CD61531A835CB54D981D9B32A42498F1A7DB4E085AB66DC6E86D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:51.032{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EC0CE59EA8CE723797DF71DAE59977A,SHA256=35765446347FFEF56BE1AC3696844964EBC82E8D5FF110CBA5D12CB0122ED7C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:52.970{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6191B61912402448F922058FEB483D9,SHA256=AB71ECD3C86352F763E1756F652D03E019C05251651340A2C68DBE923C6DD723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:52.829{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BEE8F9112181639000CD5AA065571F6,SHA256=E2C1B509C4807DCB4683A22D0B2B8F39C4556BFA119FFF1CA022B661B8306492,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:49.756{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58978-false10.0.1.12-8000- 354300x8000000000000000971368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:49.451{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51593-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:52.047{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CFFE3D2E1B3AD6CD44C24717DF7E070,SHA256=EF1AFF245D18BF3423E1FAB4EC32265892E6B42A6792AA96C97B85664611C974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:53.047{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA5081E8AE086EAFFEBBB3B6E992D0A3,SHA256=A32D8EE46467DE98AFEC2EF825A9D49705068B287600929A561299212307815B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:54.063{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=061A528C418ECEA46D0B0C32AEDCB973,SHA256=EE82434B3ADEC96A59A0DFED050ACF4DF204350F015CED5C97B0379E741DEE0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:54.692{5EBD8912-82E2-6151-3179-00000000FC01}49763756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:54.507{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-82E2-6151-3179-00000000FC01}4976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:54.491{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-82E2-6151-3179-00000000FC01}4976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001041950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:54.491{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:54.491{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:54.491{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:54.491{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:54.491{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-82E2-6151-3179-00000000FC01}4976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001041945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:54.486{5EBD8912-82E2-6151-3179-00000000FC01}4976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001041944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:54.007{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=614311EE59237317BB691CAE2EC7AC96,SHA256=5849D0E032DDAFDDB5D597BD22680BB6DA023C0456149F2360D416D582EA3FF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:55.079{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF480BE901426564B447D2F51800C8DF,SHA256=E67C353B448F510881FF9CB42C83DA6588C35322BC83AC255B0413F00A23C89A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:55.869{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-82E3-6151-3379-00000000FC01}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:55.869{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:55.869{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:55.854{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:55.854{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:55.854{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-82E3-6151-3379-00000000FC01}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001041968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:55.854{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-82E3-6151-3379-00000000FC01}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001041967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:55.854{5EBD8912-82E3-6151-3379-00000000FC01}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001041966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:53.761{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65241-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001041965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:55.507{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FED40521C9E7564735912D568A58DCD,SHA256=C65682D0B653F6213165BA7ECAC0923FA3D70AD5AD98EB468B60D77340290E50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:55.507{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB20EA2504337BD722F2D93197DA80EC,SHA256=13BC9D1421AC702A37E2AAA4443C8A453D847A19003D5D0A8CC86C6AE5E8EBB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:55.407{5EBD8912-82E3-6151-3279-00000000FC01}60724180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:55.189{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-82E3-6151-3279-00000000FC01}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:55.185{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-82E3-6151-3279-00000000FC01}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001041960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:55.170{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:55.170{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:55.170{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:55.170{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:55.170{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-82E3-6151-3279-00000000FC01}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001041955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:55.155{5EBD8912-82E3-6151-3279-00000000FC01}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001041954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:55.008{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA451DF4116536E6D03E4F2F6EF2DAE,SHA256=6EAA114AA4EC0424CB8C028B22A82E98F0B5B939CDAC28D17A8B8665D344DB8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:56.891{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FED40521C9E7564735912D568A58DCD,SHA256=C65682D0B653F6213165BA7ECAC0923FA3D70AD5AD98EB468B60D77340290E50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:56.569{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-82E4-6151-3479-00000000FC01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:56.569{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:56.569{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:56.569{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:56.569{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001041979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:56.569{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-82E4-6151-3479-00000000FC01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001041978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:56.553{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-82E4-6151-3479-00000000FC01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001041977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:56.554{5EBD8912-82E4-6151-3479-00000000FC01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001041976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:56.069{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=868731884A808EC5886975BC2644D27C,SHA256=53CF80BD765F9C4729A4BD170B034CBAA706BBD261224ECAD95EAA2CD5043B8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:56.079{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CB9C3B3E13B33CD3B4EB4005382BE2E,SHA256=E98412143B9A265502E53776204A9EF463DF925CDB07A11C6DCDD31337ACBFDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001041975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:56.038{5EBD8912-82E3-6151-3379-00000000FC01}50762868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001041986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:57.090{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=719B1606AFF37A94889073C5E726FBE0,SHA256=C86EB39BAF5D6895577E764ED922344F23288E02F075E6B4E93B625257E7D41B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:57.094{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7F2FE68D7E0D013CC896DECA13B1A78,SHA256=2C422DC344E39819A6CFE57B62C23DE59FBF0C6CA033BD120226FE6FB5F25BE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:58.121{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB2AC82B12967ADBC3905FC571C6AE5,SHA256=A78384A6344500E1AAB76AB1995733E3A9D01672110822B3E6AC1BC87A4EFC4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:55.755{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58979-false10.0.1.12-8000- 354300x8000000000000000971379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:55.436{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com21552-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:58.125{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8948B45F70CB8412DF1B4F330013EE54,SHA256=6A76E36D1C5993110DDC974DA32EDBE0EEB51FD1498F19583355BAC587DF2A9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:58.125{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=412E5EABA72948B3FA45894E41B272F6,SHA256=13F7E4D68332D45CD4645A3B3D8966D1058A92369D36731DBDDF4D419BCF3DC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:58.110{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642F0E3030CFDE4AC81CBFCC0229CD59,SHA256=AD683782E8997844E438270952AEBF2E98B9B7CA0066777DF9CFD1054B6CE084,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:57.865{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58126-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001041990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:57.438{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.24.1.102-50570-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:59.469{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD15CB7C26046C21AFC2FC814175FDC8,SHA256=5CCBB42AF9A4F30BF4B27C921F114C7C87DDA2FB446A7959A8AECC2802D7AF33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:59.168{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359F42BBB401545BD41EB5C1948CE157,SHA256=D78446CA427E5EB3ACD3BEF0A3F351315AD570FDDDDC5296C17E307B6CB6AD30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:37:59.125{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5024466661DC929C9FE16A680FF95F7,SHA256=2B5C2066B288633C9C8F63A3D622377F968DCCD8BC7BDB06F8C00333EEB718C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001041995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:58.913{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65242-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001041994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:58.580{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com25772-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:00.539{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FFCAF4B1864AF760C54426D0B120282,SHA256=DD380D056A16F95A6C2308613CF0A499BA8144CCA44902DD2563C8B4CE645A6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:00.254{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A7F43E0F93F5B32067A060E858EEF7,SHA256=DB357514F0AB39AF36D92947E9FB934C332E286DA5F0767B91B2B83D8147ED5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:00.125{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC7563CCD8729F53D08104095C5956F8,SHA256=0FA6DED6DD7E23DB28FBEFFE84D054D87B81B437884A68BEBCE702008BE1C489,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:01.270{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07C1359FFE819A160A63D61477839359,SHA256=FF6B85740EDE2FA4ADCDF4DAF870F3FD15075763DAAE7FAA56F4B6827BD131A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:01.127{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36C9C57F32FD7CAEF6F1518347366B72,SHA256=5459ADE8E40846CF8CF39007D4D001C31D81F20EF21627ED84AAD061D1736C83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:00.532{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57686-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001041999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:37:59.519{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59321-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001041998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:02.423{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F912D032E20DCC227CA59C887FF837D9,SHA256=39456A0F7631DF351DAC4E0A3C4F00FDAE44AAAD0935EF3243EAA4F56A3A79F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:02.130{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC5FE606DE037718DE4A4430D192BC8F,SHA256=FC652C41BEF5A558A4B5FE34B48CC76B4275E73EB01C076FD10015B5C8C5B091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001041997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:02.207{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3861967C6CD4D80811FEC687EC64D1E7,SHA256=613229B990E09292C9534724F66315D90BCCE932368AB57892E279C17CC3295A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:03.437{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3D79427D5D212CB1A5084898215E136,SHA256=6E57CBF25C9836DAA1332C8188BFB43ECB3DDAEB48FDEE4A9B4D764F9AF3334F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:03.146{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74FC03609DEB4A58EDB339242B7B2661,SHA256=E1414530685BA5114C7485197EC23C681DB67A6803E1D637AB87B73591BAC9C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:04.487{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFBC37DC510FE03527D1EAC55A95722F,SHA256=FBE7F192E1F52FED5C19B1A6EA96531202B1289701599D24A46EFD4882AD41EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:00.854{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58980-false10.0.1.12-8000- 23542300x8000000000000000971386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:04.162{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23B1B4493299404519769F5A6ED99002,SHA256=B048572688DB1C43E5AE565BA18C3839D04894FAF8F277F7FF7C6C180EC230D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:04.421{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=C13FBF25A85587125E7E027BE9E6034D,SHA256=0D8A951AA00B18CD1B9D076E84F037851907D2360B4E682E6E6C3276D2BADD72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:04.421{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=C03E7D866780FB9F02DD7FDB0A717A77,SHA256=68E138FEFF7F78542C7D5F99D4E366670AEEB130261B84734B219410E4A2FF09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:04.421{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=65AEEDA70CFFCECB57C21AA26F17E8F5,SHA256=8C567EF3FBD3B4EF2E20781A68D435D84877841FB5A1DDAF571286A995D6E3CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:04.421{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=85DD82A8B6F4C4D21DC60D0C2FB2415F,SHA256=C5864D381CD6CA38B14FE797E6FCBBD8C244468A3CC4B9FC18FC47EA634443DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:04.421{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=B16B74AB9A2F4AEE97ABF2A06E2B14DB,SHA256=FD7B6AAB45BE4CC09347827A1E6A9C8437150630BA2FC9DF86E50615209378BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:04.421{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=B0DB72A9D987EB23B3DBF2CF3E647A24,SHA256=4704DF64A926A0F25A317DF8AE593FFD87FECCA0AD3361BDC6218E85165A069F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:04.268{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F34308813F8667D8B93E704D28684A34,SHA256=05A20BA434B0407CD756E9265BC4B0F7EF758F6C1596CBD79327B44D48062183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:05.504{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64E57C3831DB0419232C27E6E8EC823,SHA256=F261029C54961791AAC7AF73D739C89D30560C2B404DC8F648968E868A792C10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:05.396{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E76FC05CFBAEA97C4578977C00665BF,SHA256=C13603CE7FE136CE7F739B5CC32046FC4D1CC85BDAA28CA73DD5109AAAD92514,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:04.827{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65243-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001042011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:06.584{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FFF97A8298417790B26AC595A489849,SHA256=335192F04F8A26D59236B4D2352103F56F79298204B525243AAB0361FA87A8A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:06.865{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D58EB66A195C11A62E7FBEA6B17565CB,SHA256=97323030CE2340EBDC1091C7D4960FCF187D1C877BC83BF3B7EDCE26627D7982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:06.865{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8948B45F70CB8412DF1B4F330013EE54,SHA256=6A76E36D1C5993110DDC974DA32EDBE0EEB51FD1498F19583355BAC587DF2A9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:06.630{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=380AEF6A235988B93A64A0959049E953,SHA256=9CFD3E70A258B1EC9059488AFAB171CE6410C4C5D61757FB0435C24506A91C39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:07.646{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=280F485E46C4B64D07E5306FCFEEB95F,SHA256=EF405C5E2EEFFE823D07B662B419E027CCA459302E7F0E7B42E0728E9BF37AAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:07.702{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A0937AE44B50BE2E9464AE1D3A3C596,SHA256=D29952535FFAA54A843CC6135360D4E316836D34302DBA8BE2546943CDFF8E5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:04.200{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63573-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000971395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:07.365{69CF5F33-7F28-614D-0D00-00000000FD01}78032C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-0C00-00000000FD01}720C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:07.365{69CF5F33-7F28-614D-0D00-00000000FD01}78032C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:07.365{69CF5F33-7F28-614D-0D00-00000000FD01}78032C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1100-00000000FD01}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:07.365{69CF5F33-7F28-614D-0D00-00000000FD01}78032C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1600-00000000FD01}1216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001042016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:06.440{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61397-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:08.716{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D518DA874267F4A11CA42A48287830C7,SHA256=FA31816A12A85F98A3DE97DD678A5ED11FCBE892FD4E028B3B6D7C124CB21867,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:05.907{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64782-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:08.646{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D58EB66A195C11A62E7FBEA6B17565CB,SHA256=97323030CE2340EBDC1091C7D4960FCF187D1C877BC83BF3B7EDCE26627D7982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:08.646{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A71D7F1C8AA6B5A2B3B0F143F54CA616,SHA256=E35968B8986DF2F06BE9C8B36ACBA8FA71A405A2F382544B09E7D6EAD274231B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:08.301{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E971BC5EAF68E05725BC27149C6FEFD,SHA256=1CDA42823946D691BE30B7BBC9AAF5E63A06216E0685244F572BAB102EB30EFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:09.747{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E16005BC14D97094947C8425EA286F75,SHA256=AFF445B4190CE569F85A4EA748325918DF22E4F961EA84E8C3659AE87E9C89B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:09.677{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06C463A47D09BD11B5F5A231D4843881,SHA256=5E13629FB7F4AA06CB336C87EC8976FB01DDE1C289D9FC08CDBF54D841F150B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:08.320{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63178-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000971403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:06.760{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58981-false10.0.1.12-8000- 23542300x8000000000000000971402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:10.771{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4794DC5DABD64F633755E6732B15640D,SHA256=B190066C02E16979CDB6728BD5405A915164859C5653DEAC6B76013D92E0DB2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:10.780{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B73E0A79C7C31EDA6FB6C682211226F,SHA256=F9A7CA59E039AFF91EAB8779507EBCB80DBA05BD95CE377BB5D067B04A7B9D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:11.801{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD168D4CEE294A1B40902AEEC0CAFD7B,SHA256=27D743BD5F3E1323807A59B1506EABBA735BE9ABC80D74C5BB1989EE0C99DFD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:11.380{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AEAAE092BACC1CC67DDFCA08DB4ADA0C,SHA256=DEB72A93A3EB51544A9D542725801CC0E251C4B7C171A96C0147F80762582EB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:12.831{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F57E1F6B7F3132D354B805F353710C29,SHA256=3D9491CC30691D0524C2A0A34D7F344DACFA2A748421F3DB78C31E69D8584F20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:12.958{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:12.427{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99AF8FE22D809B71C7C81277AB235894,SHA256=10ACC888D8A5E41B50E8E22F4AC610C966F98F8AB803E5F6204F04437F8B9291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:12.005{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4800BE7F650EADBB16A7AFD1CE51DE0C,SHA256=D11E547FCF0D8883C93AA924473F84B75B1992E2237622F5EE7AC1BE697A32B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:09.938{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65244-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001042024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:13.846{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=875EEC5084F126B43B8BE476D3D7DAE3,SHA256=A99EE50972BFB9E98AB59C67D9BEF595291325F6E13D642BC342C9B598CD05F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:13.261{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4275MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:13.240{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6E3CB7BD6CFBF64D16FA673EB2C140E,SHA256=7047205D86356D23E92FF6FCFBF96C3CD5DC5C503ED94099BC4D52CC1050EF58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:13.447{5EBD8912-79BF-6151-DA77-00000000FC01}21525336C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79BF-6151-DC77-00000000FC01}5112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001042022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:13.447{5EBD8912-79BF-6151-DA77-00000000FC01}21525336C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79BF-6151-DC77-00000000FC01}5112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 354300x8000000000000000971409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:09.653{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-49521-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001042025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:14.861{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AB69E31B7BD97CE0FD886F685B79009,SHA256=C233ECDBC817360E51046B65D1CEFC56E38585861AB0119ED6D89DABF6FEA495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:14.261{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA86892DCB61F907E6C2B1974E25CE8C,SHA256=8C73A8BDCDDD4CAFB7196EBE08B4CF0179029C425B176B3A0DC4F5CCEFE41A8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:14.259{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4276MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:15.944{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=179C57C11B2F5C7CBA5D9A2E2CBF4E5F,SHA256=475012D3C78C1DB4ACDAC4537651B17A76EED3C529F9728DB872B3D2AF68D6B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:11.588{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58982-false10.0.1.12-8089- 23542300x8000000000000000971414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:15.275{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8AA8A149BDB20C935E1F54B4E6C0097,SHA256=A2AE8F73CD7B955327813BD4C9F4F9C77DF76A7362991CCB3E43D569458714EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:16.960{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D10D2071FC09C1F2DCF7E152AC4E160,SHA256=462BDE792557809E723893F65D9CD958F9C2C4D0D56600396B149CD7CE64BD24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:16.618{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C76C76BEC843E030B6FBA2F7FB61F27,SHA256=6E55A3516ED714C818D42070084B993D7737246E7E106C975458C86C5DDC915A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:12.763{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58983-false10.0.1.12-8000- 23542300x8000000000000000971416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:16.290{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3399D142ACA54D869DC74C7DE25B1FB,SHA256=DF9ABAA3A83B2FB8145FC14ADF8A9ACCA7BDD4C8104E3F4D88482111015D5325,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:16.460{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001042029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:16.460{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001042028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:16.460{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFfaf7c5b.TMPMD5=3E93519ECEEA3AAC370B2A7E51DC9826,SHA256=B9C7939595DFF51D3884ECE464CFA7782009D3D613796D6691D52ED325FFCCF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:16.444{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+be47e3|C:\Program Files\Mozilla Firefox\xul.dll+be39b5|C:\Program Files\Mozilla Firefox\xul.dll+be9f5b 354300x8000000000000000971420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:13.860{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50320-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:17.306{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6A21B0CEF3D9B754A48775415CC31B3,SHA256=DB1A915B903374EA5FA818D4C5CC1F4F8955590038395416E51E90C27A1C19CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:15.689{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65245-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001042065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:15.689{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65245-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 10341000x80000000000000001042064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.444{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001042033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.013{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=463E2A172BE2EDB7CA3C0F20B4D1180F,SHA256=95465141C45841862D5ADD84D1F059488981E1E3979069F3C84CB3814B2C560F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:17.013{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F5E29D46240B39530E84F334567E117,SHA256=E2AE993DF0D9A557D38049B28845BED46848DBE1F3525667AF04428B18576762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:18.322{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE1F71FA86ED053099C076CC38764852,SHA256=3864A089E9BCE3CA6997AD5D17DEB40EBF1BFDE880D160F105705B97A6853B0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:16.188{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51058-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001042068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:15.904{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65246-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001042067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:18.159{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F0DE8FC7C1DA9B7A34A0E36D16847A,SHA256=FF067692F5C3269EF3320682874FC0CEBBDEEE0673B12A4149CA47EE14B7271A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:19.337{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB30764A83DA666C0E1CFC333168E361,SHA256=CAF220559946AFB50A9DE72E2B3958AD5065DD122C03E94717177CBBF437DEB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:19.226{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F07A5FFFB3918504CDE1979555AD6DC,SHA256=BF51D04B850BF048FD81D389C8872F7948592537A18B16BB3FF4441083153C1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:20.353{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A6CD64E8121C330B23B3D0A3F8839D,SHA256=484A74F90BEB3C5D601514AA21461AA52A5AC4940441339416448499B730E1F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:20.258{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F2AF41A60698AD882A7CC4F3DE64304,SHA256=B6AA6700584BA0C08A06579F0936B22261529A4D0276FB568AB39D6F209881A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:21.275{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8669A7C91D1BF1C68A22CC3A6402D7F0,SHA256=F98B8B186723A089FA6BABB596DD3E7D96BB87B4F95C1451A76D748DDE78A071,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:17.858{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58984-false10.0.1.12-8000- 23542300x8000000000000000971424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:21.368{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7D3DB37CB50A513F2A31F208CB54B60,SHA256=FE1274B84340C7B079FA10BC50CC12D1FA60B9D7B481343DB2DFC478E2199B24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:22.393{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BBDFE27A50E0C2D603971DAC594D079,SHA256=6E9F98DF8113D4DA5B7D16E52E3CBDAA6E8B1FAC77E5572F22FC9996EA6C14D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:22.393{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=463E2A172BE2EDB7CA3C0F20B4D1180F,SHA256=95465141C45841862D5ADD84D1F059488981E1E3979069F3C84CB3814B2C560F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:22.340{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44A65C70DE62B8CE3B21B4A551D6896A,SHA256=F1D99711A819D64AEE38419B42BBCA01E7C58D6079C0842D84F949E2FAD4BCB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:22.382{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B6A724CFD23F1D0677FBAEAE49FB69,SHA256=0A4461375DBA03BB1A62A5DABA38879FCB12A87FB594C5A7245BDBF4D320C615,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:23.398{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26DAA8B2EDE7212D06D0AF63557C1D38,SHA256=5F1BAAF739DE95E35D74AA604E7A59675F1742DD9FE73FB6A9C97A55A30D8B87,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:21.832{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65247-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001042077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:20.773{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60585-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:23.341{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B4F9A8481E87F6BDD3B1133FE0F00C8,SHA256=FB2DE6B19F0B42AD4D4752C20297D2A7A315A9C1C7D527DC94E1EF12740A37A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:24.413{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD6BB5531FCF02FF71C1F78A2553B1BC,SHA256=1E1B9D172FA9D4FAB6ED0EEF77D35DB5D2061ADD46326478CD7F31202BFC7002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:24.355{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=372F072CDFB0D9636907437D195EDEC9,SHA256=F5D1E5ED4B46055E44FA8F2A9C1772980F0E3F6FF52E672B677A430B718D23A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:23.969{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56011-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001042082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:23.209{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55601-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:25.572{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1A80490F588699A465A0E313B5D8935,SHA256=3881B233B110C05784A8E942AF51BB09235450D5A5E65672BABCB8FDD1A8808D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:25.413{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8F9EA51C68AF85B2AD19DD8F925D6B2,SHA256=2378199905379F093D5EF426F56751922CFA857870019087DE671057BDED4DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:25.254{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BBDFE27A50E0C2D603971DAC594D079,SHA256=6E9F98DF8113D4DA5B7D16E52E3CBDAA6E8B1FAC77E5572F22FC9996EA6C14D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:26.590{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BDB75576111581DD5E45E9098A5DFCD,SHA256=0EE5991E5730C283810D9EE8F4994E8A56B24C686FD5CF542DF45CB766103C84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:26.899{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8302-6151-D878-00000000FD01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:26.899{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:26.899{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:26.899{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:26.899{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:26.899{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:26.899{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:26.899{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:26.899{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:26.882{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:26.882{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8302-6151-D878-00000000FD01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:26.882{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8302-6151-D878-00000000FD01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:26.883{69CF5F33-8302-6151-D878-00000000FD01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000971447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:23.172{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56246-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:26.429{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C89669836FFFA4339D164C2DCBBAFE1D,SHA256=9A68C57348F9F7F1D672B143B4545585096A9A368DC575C910F6711026442BCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:26.291{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1535F2D4897459E436EE871950B6B046,SHA256=588EC255B4D422FE135616BFE3E316C20BDB2BB2A845D6E1403BEFB026CEF25E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:26.398{69CF5F33-8302-6151-D778-00000000FD01}1204856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000971444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:26.241{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9115781B0687AAB0CBE116727CB3E2D5,SHA256=1876010BDA2DDD4AE5950E4D9F678E8127D253F88EBEF2E552FD98229FA007C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:26.226{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B198CA01892AA8B0D7FF5A3CF7FB152B,SHA256=DEF2EF98C69AB7B517AB5C038DF4E05104C1C38D27A46F21A4EFCC6CE173197C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:26.210{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8302-6151-D778-00000000FD01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:26.210{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:26.210{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:26.210{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:26.210{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:26.210{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:26.210{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:26.210{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:26.210{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:26.210{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:26.210{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8302-6151-D778-00000000FD01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:26.210{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8302-6151-D778-00000000FD01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:26.196{69CF5F33-8302-6151-D778-00000000FD01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001042086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:27.638{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F59D609BE395A6BC026F10E533E810,SHA256=07634C507843B9C846DB1EE2F34287E19D2C664A3A8F4B601AE10BCFC6534A39,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:23.902{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58985-false10.0.1.12-8000- 10341000x8000000000000000971475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:27.585{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8303-6151-D978-00000000FD01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:27.585{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:27.585{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:27.585{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:27.585{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:27.585{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:27.585{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:27.585{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:27.585{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:27.585{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:27.569{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8303-6151-D978-00000000FD01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:27.569{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8303-6151-D978-00000000FD01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:27.570{69CF5F33-8303-6151-D978-00000000FD01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000971462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:27.444{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D01B2CDCA82C0BD2177D02D72C3A37,SHA256=B432F8F7F4BB48122D34A743E3D168F3D9FE6C66F211A887992BA678686DC35A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:27.085{69CF5F33-8302-6151-D878-00000000FD01}40602656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001042087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:28.671{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEDB6CE7966A765190AF50A6D1DC5B9A,SHA256=857B4DE8053B71F2FB52CEA33909C961E94B6CFB73BED01F5EF2539C0DBCFBAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:28.960{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8304-6151-DB78-00000000FD01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:28.960{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:28.960{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:28.960{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:28.960{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:28.960{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:28.960{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:28.960{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:28.960{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:28.960{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:28.960{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8304-6151-DB78-00000000FD01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:28.960{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8304-6151-DB78-00000000FD01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:28.945{69CF5F33-8304-6151-DB78-00000000FD01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000971492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:28.476{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36203E26620FC8518609192DC323B68,SHA256=4F3E6111C7818275BFA8464A60542D60B3C96E3B41201406B1CAC52AB85C9527,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:28.429{69CF5F33-8304-6151-DA78-00000000FD01}4963204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:28.273{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8304-6151-DA78-00000000FD01}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:28.273{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:28.273{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:28.273{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:28.273{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:28.273{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:28.273{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:28.273{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:28.273{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:28.273{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:28.273{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8304-6151-DA78-00000000FD01}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:28.273{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8304-6151-DA78-00000000FD01}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:28.258{69CF5F33-8304-6151-DA78-00000000FD01}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000971477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:28.116{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9115781B0687AAB0CBE116727CB3E2D5,SHA256=1876010BDA2DDD4AE5950E4D9F678E8127D253F88EBEF2E552FD98229FA007C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:27.782{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65248-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001042088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:29.801{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D06F9444D6FD9F37A0582070C4C9931D,SHA256=17E3407E884ABCE5E508D23DB06C119E27AC132BE83E4DEE028ADA246626EB78,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:27.193{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49810-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000971521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:29.835{69CF5F33-8305-6151-DC78-00000000FD01}16163476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:29.632{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8305-6151-DC78-00000000FD01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:29.632{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:29.632{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:29.632{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:29.632{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:29.632{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:29.632{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:29.632{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:29.632{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:29.632{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:29.632{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8305-6151-DC78-00000000FD01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:29.632{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8305-6151-DC78-00000000FD01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:29.619{69CF5F33-8305-6151-DC78-00000000FD01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000971507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:29.491{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=069C05C69B1890A5E46A7B1083F111C4,SHA256=E7692118AB9374D9161E2B3A4C9627246DE886E4213428F5ED926A226EDFFC57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:29.460{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=682480DE50CC68F9566D51EB533C0F05,SHA256=2B2DDA2A029E3DC4DCA53443E70C23ACA834746A77760E677B3E076CF70ACB35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:30.816{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54283391FFF92E2D30A6B4CBB2CA6581,SHA256=2BB02CDE52C5ADF2CEB9E60A3FE3F29B42CD0823871E34C34B3B2420BDBF1E8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:30.648{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E31813F1E6CD5B37E9E7937304B1C756,SHA256=383D3C6E825EA5E73FF4905DDA0539EBD6B7435E221A33301BA911795E19CDFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:30.491{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7E948BF1F2E1C3D3F7D5D69313F5663,SHA256=035A8EB022E0667125718D2DFE50DD28D6217BC8F3E9C99D1D179501C2BCDF5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:31.523{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFFF0A251EFBAEC007C0446ACEDA3AA3,SHA256=FFF4E27C766DF2A2610C20A1CD00FA7EF1F336F28E36B5EB803DBFD22AA6006C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:31.880{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91AE1B9BC6AD8AA04F47097E41CBD77E,SHA256=FE4B32A93A41B057F711941E344A2D9AE51FC0B228CA380EDBCC3E0A255EB417,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:32.757{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE158569D986647DB4B5E7DEE245AC97,SHA256=294BC170C489F6523EE0F0DF000AED204989196FC70B6BCAA94B573E49874969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:32.914{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D7AD41546DBAB9BF9998E97E12CC28,SHA256=3EA26EC8E57FE2B9362DAA46AE0C87DF47C78EF20C1033BAB88BC85472578C2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:32.288{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7846AF6AAD82688CB485A5E649724926,SHA256=EF08ED16F617B17A309268B9E3FC0871DE770B56C9685E1D40E33C5451F55F80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:33.804{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31F24DE19C0F751A8EC2C08FE5285AD4,SHA256=FED4FE3743FC45A533C78ECC7556F7FE31732620A718677A867A8C20244EA810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:33.804{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F647C4A03B6EE9599A0F03ABC808308,SHA256=72E62A15F13A57E38A55A18BA6F1012F891783B07080894F3E6ED6C4F3A2E1BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:33.914{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B2A4BD4E9E4BAFDF92D8DEAEF43E31D,SHA256=E4A360876ADA5C17869F1E551C724899B1F6878AD8171760B3D33988FAE075C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:29.652{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58986-false10.0.1.12-8000- 23542300x8000000000000000971531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:34.835{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CE57FD1650893209A5277B549B64328,SHA256=CD2F45F58FB097766C00A583F01F94B87F7D30665F2735F2BCD92934045FAA31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:34.945{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DACC6943492BBFE90BA5791B171ADE80,SHA256=6F1170F0C28623A9E7C6708E28A69049E3DC1D154FFB76F3394DCC2576F81340,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:31.024{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61051-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001042096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:32.922{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65249-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001042095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:35.844{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:36.069{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94B5A8CD3C7358B033CFEFE9675E5E9E,SHA256=F980D7C6274D31CD8E6D2B5726E8228887E839419DE9C8DAEE2F8E9EB1C64213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:36.043{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C55B1B23CFDFAE0111547DF9E166EF67,SHA256=66BFC693B6865B01C465DDB686BEC391129021ADF3C5D2D92C4183519BCB26DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:33.690{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62815-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:37.444{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC4447AD980CD3CEB8BBED327EE9AC8F,SHA256=88691E07DBF0929890828A132AFE1C13C0EFE53197ED8BDD9B04A2B89EA289D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:37.210{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21FA5E03866CB25571B2ED582C0D6440,SHA256=17E8E368A30479EF626663534CC63126C48D2560BCCF8D3DE0B675C8D4D2CCDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:35.520{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65250-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001042098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:37.077{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28941EB9C97F61D10FEE7DF46BCD8F50,SHA256=E1BB1925C51311F9A20AED3D5E1DE89184D08643BA1527FBFA04CF016D6B9EF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:34.840{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58987-false10.0.1.12-8000- 10341000x8000000000000000971550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:38.460{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-830E-6151-DD78-00000000FD01}744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:38.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:38.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:38.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:38.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:38.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:38.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:38.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:38.460{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-830E-6151-DD78-00000000FD01}744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:38.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:38.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:38.460{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-830E-6151-DD78-00000000FD01}744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:38.445{69CF5F33-830E-6151-DD78-00000000FD01}744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000971537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:38.366{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DC825EFD5815B7DB049E988C6B42C08,SHA256=651B613BD12E7846214B741841245A3840F111DE16D106E5169C0D86BB32FDAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:38.997{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0E2E13CDD245E3A9F321E7A9883CB9A0,SHA256=0C5010F40829CC04D78A7E1250EC39514EB7158F81821E1E173C9E43F69DE22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:38.959{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=166C8605695BE6436E4CDD00BE9EC0D7,SHA256=A8603219408B51B5122115309BC90726EEBF9C5D8EDD6BDA807FF1F8B3E02979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:38.959{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48D3FCA56CDD994755C31BFD753424E1,SHA256=024AA6BA230BE7CD1241B23B6326F54F20DB5FFED20C5920A41D41B75C0CB5AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:38.144{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01D2F7E12534D7E19A1786EAAEE99C2B,SHA256=52E8F175EA518F982E232DEDA7D599BD384145D981668E0E8DD31124A58D1073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:39.601{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E41A8A3B1FDC58B70D071D22EFBB868D,SHA256=F28ED543FE3266AA6F09FD83C54DFD402DE537F0D69D82DDDEEE33EE1E7DB6E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:39.554{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63994D6BF39180110A36DFF62A1643DC,SHA256=6A27C677DDED3EE95C5E8510386557CF8A8A25552E4FB6EF4C32C8D77C9D7566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:39.180{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A6211F545F8857DFCE8B2800EC7C62C,SHA256=AB9E4EF1E92215DDF7888B6DFCDD09AAF87E2957484BA48F102E3E59F83E82B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:37.365{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58305-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000971554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:40.632{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF8F0E8D84B5520A3EEC617727E27C22,SHA256=C1A3A739978D228C89892CB4ADA295485FB69FC13DE1325F3059352DDE5C5FDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:40.211{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F06BFE78195CAF366D18336A59B4A3C9,SHA256=DD9F23940A626AACCB36C6DB35A6E05CD8E76A2CD151F036313DBB13F05D32B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:40.027{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=166C8605695BE6436E4CDD00BE9EC0D7,SHA256=A8603219408B51B5122115309BC90726EEBF9C5D8EDD6BDA807FF1F8B3E02979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:41.760{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5634B137A66C11577577FAA3A9A5982C,SHA256=E00745D419250F67734037BF8003B845F8AC3A9DBA06DDBC366DADDD7C687674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:41.678{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4275MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:41.241{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A7B4823F040C13365CBBCC749A3CC58,SHA256=3079FC2DC6EE3834B5D066D65A8DF459EAED7555973CD85741168C6BCF6E68F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:38.888{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65251-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001042109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:38.876{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59438-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001042108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:37.777{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64685-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000971556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:42.776{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=908318A16059EACEAC742DC9E25AA7C5,SHA256=EE3BD8F3C40C7C9C327C7C067E4783258EFB091BEC1B0CBC8A178E9F6D30A93B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:42.674{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4276MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:42.257{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E6B79D4892A4EE9F2DA1A84208ABD6A,SHA256=755C9D2FBCE5F2D0B7F76FF3DBB0871338A65C854E1D564ABD7F59E9B97C50B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:40.796{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58988-false10.0.1.12-8000- 23542300x80000000000000001042115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:43.261{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBA15965351FC95E2049617E2D259949,SHA256=E8D54AD703320C9D5B62D4AF5F7ACA0440BED8BEFE57DDCFF56167C6D7D76319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:44.010{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A1D97781DF57574F5ADAF5FFD26C16F,SHA256=3EEB8A2960CB09F65A9CA955148DB7143702F9F70B67CCA4E7E32E7C5F424587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:44.275{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7614E1DFF61BBADE9FFE01C0199C46CE,SHA256=8076042566FC49F351FEFA8DF740CC6F90C71AEE11B78AE657ED2255630B4210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:45.245{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3888245C859E5B54E159B875CEEA5DA0,SHA256=382E0576B21DF51887E44242C8DB0247583A308307D4EA04C4FDE69D3024347F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:45.878{5EBD8912-8315-6151-3679-00000000FC01}3576756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:45.709{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8315-6151-3679-00000000FC01}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:45.709{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:45.709{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:45.709{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:45.709{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:45.709{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8315-6151-3679-00000000FC01}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001042127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:45.709{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8315-6151-3679-00000000FC01}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001042126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:45.694{5EBD8912-8315-6151-3679-00000000FC01}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001042125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:45.278{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3F8D775E8D247F4BF3EF6E62D4053E5,SHA256=A77557902FAFD915153B9A4C85AFDED18F974FC2CDDA125B605DE54E9D4B62EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:45.025{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8314-6151-3579-00000000FC01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:45.025{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:45.025{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:45.025{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8314-6151-3579-00000000FC01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001042120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:45.025{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:45.025{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:45.025{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8314-6151-3579-00000000FC01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001042117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:44.995{5EBD8912-8314-6151-3579-00000000FC01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000971562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:46.417{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6058F4D3B9F83E547ECF1B7DC237C0AD,SHA256=A033190907BF2C6C548AFA05BA3E7095E107D39F43AF9DBD91992A7E6B01B805,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:46.417{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57815745866AC88E29F3EEAC94684502,SHA256=E197203A4A5A117739449931A44446C169550E2BBB67225BC062C84565D94504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:46.386{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7989FAA477A779C934862F566461CA7E,SHA256=E408CAEF58B4EB98F940E76345500AA0C31806B8352285ADB76415AC9566018B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:46.410{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8316-6151-3779-00000000FC01}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:46.410{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:46.410{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:46.410{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:46.410{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:46.410{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8316-6151-3779-00000000FC01}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001042139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:46.410{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8316-6151-3779-00000000FC01}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001042138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:46.395{5EBD8912-8316-6151-3779-00000000FC01}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001042137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:46.325{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=845D7AC0E57855752888D272FCDEAB9F,SHA256=B07FAF721B5E6E868A6FF31B1EA0389C324D9C9911BC7E3DBEB2656863CFD32E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:46.093{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6148B503277E51E1E0D3C66E4AA010B5,SHA256=5E508C418E7AE9E9DC94E61717D8732FA7081FF87752A04E4C2B54334E377819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:46.093{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A649C6A2BBEF828D91DFB67675947CA,SHA256=BE4DBE8AA962D064826C615757330BB6C8CBE37175315353EF4D75F0EFD6850A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:45.925{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53449-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001042148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:44.917{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65252-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001042147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:47.409{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6148B503277E51E1E0D3C66E4AA010B5,SHA256=5E508C418E7AE9E9DC94E61717D8732FA7081FF87752A04E4C2B54334E377819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:47.356{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9036C35FBA03BD92420A487525F27E2A,SHA256=53B93939C60F60A3EE7185FFFC537B190AFCBC26EF2EF39ABF2F5A9380261CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:47.620{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0CE3320ED828F9B297ECAB4F6FFD95,SHA256=B2C577A294B04C41026D9EC3B8EE793221F7788580F61EB8C7F42819B5FE0781,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:43.655{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63707-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001042150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:48.593{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7BCBBD9EA951ECD62E69FAEEAD85239,SHA256=B39BE473428755036AE43FC150919786711C867E0D1C35F57EC75B0B46D2F61E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:48.682{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6634F4C28078874F5FCF9B6CF5EB3CEB,SHA256=CEF551D6972CC2B3FF1B5F565C73AB3B5912AD905A97EEF996CE0865FBD5B8A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:45.262{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64803-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:48.042{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6058F4D3B9F83E547ECF1B7DC237C0AD,SHA256=A033190907BF2C6C548AFA05BA3E7095E107D39F43AF9DBD91992A7E6B01B805,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:49.608{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B60BF60AE50D432E550A589FA3E64670,SHA256=C6664D007335C38DAD135F99C26C2647BAF4DEA8A13283FD8A9BDED6D620DFEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:49.698{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DD7C372CD636F7367E17E6940E49779,SHA256=4FE14F8E4DAF2853C5A1FB5505C56BAE82930674712709BE35B5147C701F4B91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:50.609{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48180471D063B0F6B1F6AA1FC4441E42,SHA256=77EFD7B3913003457F7A7831DB245B4081AE01AC7BA27B8D9B9525C0927557BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:50.729{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=247DFDA74C670BA29B7BC52238A722E0,SHA256=EFE23FAF588F8886C68BFAFE4833102B3067C3645B4A5594106373FBB6BF42FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:46.827{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58989-false10.0.1.12-8000- 23542300x8000000000000000971573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:51.745{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A096C6FFF75E025E7CFF55879CC27749,SHA256=C919FBF08E88B24A05AEA1D132AA9978703821CF3D4913B3FA19B66A5E703FD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:51.639{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CF47C42ED07B63A484B30F8B82C2C5F,SHA256=FDCA80635B1853E00243B99B6BF9BD5326D3D5C16E27C68F84BBDFF77FC805AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:47.734{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55171-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:51.339{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2404ADA2238DF01F7ACF85726195E3B5,SHA256=F03A2ABFA0235B0FEF73844BA0E40C67C5FE33F345D6E383DD46A994247A6D1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:52.761{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=449B2965B8893591AABB5EF45FCCA2F4,SHA256=547FC8E867CBD0E1F40D3178132D544510131567C08A9433C4BE6807A8464524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:52.672{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E22C9D5EEFA5BBDF2B4167FB41CD351A,SHA256=FF0EC289397D0CD3959E15CF5CAD0CC2EE97063113A73FCB17079395FD9558AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:53.754{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C72435D4574EB44AECBABBF1D45ED96A,SHA256=140014563AB0B0BE22421CA5914227874DD8C7505E6A1F321ED375D6A168D5EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:53.776{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013F27893BFF2015ADE44CC7E09F7F4A,SHA256=6727FF2FF7405D6BF196E3145691943BC91F94F10D98118D6AD8FF5B53163E49,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:50.877{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56505-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001042157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:50.815{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65253-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001042156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:53.192{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEA94B888FA902407C6AA8DB573A2E56,SHA256=F72CE17DF018EA25D6B4486CC23E1A0D99D8EF934A7A257F0734CE666E3EB3F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:53.192{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F585CAE3CE4A38459C36D843E6BB1CA,SHA256=1853C57D7B0439C2F7CB7F4D5F3CD605DD4BC0DA134B80BCE203DF9FED91C248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:54.776{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D48D7150864509A717241565B6C41AE0,SHA256=3442EDFB08C2ED470D14BD49C7EDACDE81D62F5D399346CB3F1F50327086B73F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:54.953{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-831E-6151-3979-00000000FC01}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:54.953{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:54.953{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:54.953{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:54.953{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-831E-6151-3979-00000000FC01}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001042174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:54.953{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:54.953{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-831E-6151-3979-00000000FC01}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001042172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:54.939{5EBD8912-831E-6151-3979-00000000FC01}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001042171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:54.806{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DEBD9B18F5496DC685C92B43DE32960,SHA256=885729F8FE7BA56A22D5109C7C1F5A7FCE44E8704E2163D92D44EDA5203D5263,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:54.607{5EBD8912-831E-6151-3879-00000000FC01}38446036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001042169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:52.570{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-59094-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001042168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:54.371{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-831E-6151-3879-00000000FC01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:54.354{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:54.354{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:54.354{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:54.354{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:54.354{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-831E-6151-3879-00000000FC01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001042162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:54.354{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-831E-6151-3879-00000000FC01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001042161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:54.339{5EBD8912-831E-6151-3879-00000000FC01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001042160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:54.207{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEA94B888FA902407C6AA8DB573A2E56,SHA256=F72CE17DF018EA25D6B4486CC23E1A0D99D8EF934A7A257F0734CE666E3EB3F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:52.843{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58990-false10.0.1.12-8000- 23542300x8000000000000000971577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:55.776{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4940D921F8B8BFD0BE4984478984A8E2,SHA256=AD307B654A56C0B90693F40D88D5172F97296904FCFA5DAEF718A5878B65023A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:55.837{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7025AC39EA78F03D88F7CEB7972A7DD,SHA256=97377E90675D9C1EDD06F18C29512ED0843A3AABE503F3A5973A52EE430CDA52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:55.574{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-831F-6151-3A79-00000000FC01}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:55.574{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:55.574{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:55.574{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:55.574{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:55.574{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-831F-6151-3A79-00000000FC01}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001042183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:55.574{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-831F-6151-3A79-00000000FC01}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001042182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:55.569{5EBD8912-831F-6151-3A79-00000000FC01}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001042181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:55.353{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DADCD222E9D31DAFBA080F04B0C4045C,SHA256=C223B87B4AC85C8F96DB730093A55629850257CE75E99D6853A710CC381DCE29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:55.191{5EBD8912-831E-6151-3979-00000000FC01}46165808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001042201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:56.852{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B8AE09C6CB1E5A0A7AB496F6D7BF584,SHA256=896C0F96D662CD03EB934F01627BEAEDA3B459908C5B045A656A1C615CAC1A76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:53.883{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59017-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:56.792{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEFA40A10B29033D00773C687251ACF1,SHA256=B6C09472B514B018B5C9369D8C14C3DB6A4CA2B6EB9E9D4B7D51D778FE4D637C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:56.637{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE570178875B8632A115791DD6F610FE,SHA256=7ADE909ECEFE84B1F9247E719BD8B0CA216D8103D7A19667766A92319F3296F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:56.452{5EBD8912-8320-6151-3B79-00000000FC01}59445040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:56.271{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8320-6151-3B79-00000000FC01}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:56.269{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:56.269{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:56.269{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:56.269{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:56.269{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8320-6151-3B79-00000000FC01}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001042192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:56.268{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8320-6151-3B79-00000000FC01}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001042191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:56.253{5EBD8912-8320-6151-3B79-00000000FC01}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001042204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:57.870{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E196637231639535C635A1D42CC4984,SHA256=9D044F867A7457F08F493B919B636FF5F67438207B9542E38EDDDB92442322E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:57.792{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF7D1B873EB52771BD6A488DF97BD90F,SHA256=5ABCF6224FFD53CE9C92D2894EA3BE86A4FF34F141157AFB6F701FDFC5C121F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:55.859{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65254-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001042202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:57.421{5EBD8912-7F2D-614D-0B00-00000000FC01}6241764C:\Windows\system32\lsass.exe{5EBD8912-7F11-614D-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000971582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:57.198{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7374182BB07E4D18EA30EE9332FB9D16,SHA256=BC40F05BAB3BDFCAE39633C59694FF3D35C9C582D0B7FBEC84A0F0A087810AAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:57.198{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33730983134292E77DEA5FD91075EF4F,SHA256=FD1A734679D95EEFA8F41FCB48807CB5C56766F7A2D18754B44D38FA97F229CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:58.807{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDDF2E9EAA5018C067DFDB615433B457,SHA256=06DE46FB9E3700303410E78EEE7CD90A148E7B2E5B3588B99098726E8290052D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:58.888{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF8C26905163F5EF29D75539A43CF4AA,SHA256=B40D7D35ED732C5F744DA5DB0202F7354DED7139FE7F5373887C211A88C8A529,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:57.121{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65261-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001042218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:57.121{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65261-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001042217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:57.117{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65260-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001042216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:57.117{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65260-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001042215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:57.116{5EBD8912-7F30-614D-0D00-00000000FC01}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65259-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001042214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:57.116{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65259-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001042213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:57.008{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local65258-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001042212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:57.008{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65258-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001042211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:57.000{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65257-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001042210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:57.000{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65257-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001042209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:56.999{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65256-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001042208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:56.999{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65256-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001042207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:56.999{5EBD8912-7F30-614D-0D00-00000000FC01}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65255-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001042206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:56.998{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65255-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 23542300x80000000000000001042205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:58.336{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D1A0F9FC5BCC2D1AF6720F57375F31C,SHA256=D41D289A0D724494A5853A59245D5CC78FEAB92E3721D3FFE553CB067191A9FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:59.807{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A45EF3DBFF937BB3A6CD4D5B52B4B096,SHA256=12790424A71F6C2D6DCF6E5811C22249D019B45D1FC8B856A4F0F72AA224A7F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:38:59.903{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=561C330F3044F4006F662DEBC8DD296C,SHA256=B25D7FF25CF7361EC6640A605DCB56C0A4D146590E76D1BE953E394A6D9F1204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:00.967{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=855AF890DBD62A0AB1D5F32C87B97BDA,SHA256=A9B3733EC038D0958F668D1D02DF91ED0CA1DA78C04D3A9DFD22AA6C19649CA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:00.823{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2B3F1F4CAC222E340595034498D4621,SHA256=3FEE2EB9CA1720811AEB338ECFE4594CC14B7F003302E8974D33D7AAB41B1CF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:01.985{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C37C6DE87816F0962E1AE2B882340C2E,SHA256=1220EB33B843EC4DEE0C0AA51F143289B865EB7824DF722F1851486A6DF0C099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:01.947{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7374182BB07E4D18EA30EE9332FB9D16,SHA256=BC40F05BAB3BDFCAE39633C59694FF3D35C9C582D0B7FBEC84A0F0A087810AAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:01.838{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA7E67AC83958614CBB0F17080D34DE8,SHA256=84A31748C7EF1AD0107B3E0CC3CC5359EE9157C8575E599A20734D49FCEA6D07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:02.853{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1274339B703CA73E5E27D7C88DA9BE1B,SHA256=2BEEBC62D133F0ED889D2132ADEB9DA825C07F286BE3724AF8C2806A49C4560A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:00.396{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60770-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:02.032{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63F77397DF5F2331306839F77042630E,SHA256=70FE82813BF054FA68613305A7099399F60842449C3E40FAD69A4C297F793048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:03.869{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245C7E69FC26AA7666E0F17F6CD0A064,SHA256=A84F3D67B74B71D0406FB3E87F06E866414AEBB519CB13637709071A03472783,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:59.218{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62216-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000971590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:38:58.812{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58991-false10.0.1.12-8000- 354300x80000000000000001042227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:00.931{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62665-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:03.032{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D347C36B6DD1F51F7E40B5845950B583,SHA256=13A62CD0DF9DB83D288938CFB2D65467D24E166409A20E317646EEBE150BBC54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:04.885{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F1E70A0279C63E19538E3AAF75C04FE,SHA256=B979EB4278F1394CFD1FFA5D2514D20B75206C40594FCF1A9275BEA54D11EF8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:01.808{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65262-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001042228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:04.037{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09C14FD8D48A1E55730DC2C6311EF254,SHA256=5B7DCE6103E8D08F6B3DA857C6604774A6D275F562EF98CE97EDA18AC4B4CC23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:05.900{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0C82E278B4CEF98817250F6FA7AA1B,SHA256=0FD7DEEDDEE89B43FC75F2F7D2D919520CF3F576A141E4EB98F2E49C72A3AA10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:05.851{5EBD8912-7F30-614D-0D00-00000000FC01}8884380C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001042230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:05.052{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C52303F81C11856E1780AF8D75EA9599,SHA256=80912EA362ED45A2A12C970AF70F0625CA1D10FB1B93066907B3C3A617B9AAF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:06.916{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF7EFA2B0DD449D3F0D27EAC2587D49D,SHA256=B0A2901B4C0F0E92828825A9ED143C39431E04F491FB4B8914A009FFCBDCCC5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:04.862{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de58777-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:06.073{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6371D2A3FCA871DC30E0C5898C024F8C,SHA256=F797FA9820884607F5C2296AF3FB76D2C51768D95DE87FDA1BCC477B474D2831,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:07.932{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17CC8D4FBABEE582B791120C2FF6C828,SHA256=6872921C884F75F7E3E57F000502D2271320E93085C976A2D2EBB063AA7A6957,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:03.873{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58992-false10.0.1.12-8000- 23542300x80000000000000001042236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:07.688{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F10A687029FED13C7AA54C63A2B3746,SHA256=94D649F946CCE79F6792C2B475F451CD9F8F257E7982047F5ECB4F0218EFE3A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:07.688{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C7C51A2AB6C797C28C6BE4BFF9F0A1C,SHA256=4297D45B0DED28A9035365085E37FC4C26539A8B42968672F72273A4427D4056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:07.088{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6182A419FEA644FB5F5B498CEDA71D8D,SHA256=D0BDC5F06FE713C970793CD8826515025E9CCA303FBDE93AC423BA791C8F8916,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:08.947{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9F6C948A64780C84B8F1422B416CDD2,SHA256=7483C0E0AB727BE4845A980C523316EED3E5EE8DC31AC8AD3959228AB48F54F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:08.089{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E24BE2F8F6CF8238EC5BCD422CF92B85,SHA256=A7DBDD6C0DCAC2AFA2B90B5057B71FC87279968CA55AC58CD84D1D56C1EA2F58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:09.963{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8349233739682C8E475A1F2B56B166F5,SHA256=AAE5A6E47C62DB7DF9D2F6FA06C7315ADBB2F96E3CA8FECF6481313029FA817B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:09.207{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F10A687029FED13C7AA54C63A2B3746,SHA256=94D649F946CCE79F6792C2B475F451CD9F8F257E7982047F5ECB4F0218EFE3A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:09.091{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38CBE7BDED90E5E1F2461E434CF52A2A,SHA256=40C19D9EB2A8FD4ED66BCFC4739BE85CF5A82622AA358E20F8E155B6D0E09EE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:09.463{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29577BEF45C869F4FC90BBF0F63E0BF2,SHA256=B9D4B024522C54B98188FB95D4188A0DBE27EBDCCAE0D4A65F2499A77CAB6773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:09.463{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2094D539E49D3224263720762A0FC3D5,SHA256=B9BA3C31E834E229392EB75B0BBD8470968C5529D05AB8B316E8EFD5A790487C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:06.772{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50012-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:10.963{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B413E718C013A08F15F2174E9AC1727,SHA256=8268BE688FDD5F59A03FF55B238D3F21D8EE6B681BA6176970863024B42CF827,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:07.743{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65263-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001042240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:10.106{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44948054E01C2B2939E5C9D28EF3B96A,SHA256=B0FD68938E0D3E99BBB91DE320FE1740A0CB4639BE81D77F6F49AE26083B909C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:11.978{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFABFA83E57B00418859AE41190A9EDA,SHA256=81358E4E01B31365EA4A65B86F4F348D69E234BFC925ADEC5BD2A008F6926EEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:08.354{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50773-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:11.122{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D941C53C75874F5195E073A20DEF44F,SHA256=0919E769D63E17BA3801A3CE96205AD8C602F9EAF2D1C0771AE8A785009B2291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:11.728{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29577BEF45C869F4FC90BBF0F63E0BF2,SHA256=B9D4B024522C54B98188FB95D4188A0DBE27EBDCCAE0D4A65F2499A77CAB6773,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:08.676{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51662-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:12.994{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BD20C3149E8ABE31326989DEE0DFC9F,SHA256=76D524242F30AD76826A324EB5BB101F432B0F5ADDBBE1C0D75658BB6EC867A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:12.136{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6724FC5F90BEC590A69F35BFF87FFF4A,SHA256=B8F3B79B347126AED0C4EBA521C74CF05DA36EE49DD80D92D4725D72B31A7B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:12.978{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:09.858{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58993-false10.0.1.12-8000- 23542300x80000000000000001042245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:13.169{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B476FF16478FD8249E244AC850DE65A,SHA256=DFEC50FD775DA6C321E95F30B7CCE01790A78BE02A26CC497A72E6F5CAE6F23F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:12.896{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65264-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001042246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:14.203{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E80A8ABAB5ACAD9B45D300FFA3DD8D80,SHA256=2EBC0AE4161848C845DA63C9FBBB8FDEAD00D95EE4BE43CBDA66BD86BA0F413B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:14.779{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4276MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:11.608{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58994-false10.0.1.12-8089- 23542300x8000000000000000971610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:14.010{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=865DA15F7751DD0DB2C36B07D7962A69,SHA256=7F5DD9C94527A9532D172C198201787787E56B9521342091F771DD190B59FBC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:15.349{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46BC1F01ACC679318C7B8DD45768F085,SHA256=2181E3385C98A706B0D4267A15C5CFD2E0CC6310E828B9D0E55A95511E84B15E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:15.792{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4277MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:15.025{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41F327373D2A3DA853B633B06FE8A51E,SHA256=B82B95E7DAC42F71D7B7C73A132878E55DEA3434A9587789227C1471782FDFB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:16.386{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5DE413EF78D6AB42A8B326858E1B9BB,SHA256=7C6F5F77D0DD969A7DA0C9B9328F81297EB1C79C15594213FB19855974838ADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:16.040{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90A12B00EBE69E925E5E7C61B4D8D28E,SHA256=917B920571001181E37F99832B5607CBCE48038358E0186C28393ACA9606CA2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:15.693{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65265-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001042259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:15.693{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65265-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001042258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:17.387{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4DDAB8402D5259A6D92EFA91E4B002D,SHA256=D06EF8720F9FB4741E064EC79A8F11B9E45326CA3E42A8C93ED92BB898E6349E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:17.042{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=108E4D7847CB28C557C705EE26594283,SHA256=E0E80D0F293C4C618251574ADEF4129D64596305358D9FDC222E52DA827CECCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:17.302{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=6743E2BD9EC2935208ED88E665927FC0,SHA256=6E6ADB8B62D100755818057805164F1D55512938E23B9290F9264623F92A33E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:17.302{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=61194317819EA29ED4FBD90FADF74C82,SHA256=03A84F8706225107C5DBFAA5C898205ED1E1C0AB1F91457284A304749FC26987,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:17.302{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=593D71452ADC46329657DF38FA88B865,SHA256=3E6079FC8B3D64E06EA61A5814706CF071FCA059A4EED468268F52E1EBFBFF92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:17.302{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=859CFF848D7AE5D27F6E1D5B8BAD10DF,SHA256=8E52D919A576D93F062980267353A6C0C2C923A0B48A6200D6A35EC0D82FCC65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:17.302{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=8F7EC7423EDB34533105D952A611D89D,SHA256=B54AFDC375652D360846D24B8D8079DCCA8B24E2BF25518E3B7AF7A7CB335B0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:17.302{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=CC7C429DBC8E7CF5BD12E7AA9106F573,SHA256=705A6452FE7B2CE4CCFC3833AAF3E0D33239A2914348B04C38CE80C74DD48353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:17.002{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=057D99190CF91D20A6F8F40D042E093E,SHA256=31F2101F07D68116D171A41466D515D27A486687FB520BF0E9F6DAF908E51B09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:17.002{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D430E9BD9C2EEB9E78CA08B6905DF272,SHA256=6BAB012933A51E5BA83BD78023A9DE07F537FD5E431C13ADEA093AB757F7C8DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:18.785{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=057D99190CF91D20A6F8F40D042E093E,SHA256=31F2101F07D68116D171A41466D515D27A486687FB520BF0E9F6DAF908E51B09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:18.402{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67B540DC05742F7C60A238345AB50CF5,SHA256=9B435FF758228F7B2F0EEDCC014F6560C9A8EE7154E98C638E4B945729186D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:18.058{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AB285230F60C2807456E41A393A476F,SHA256=36E37529876BD8D8F58182F8C44BF02E3807962930965A01997AAF41C9053011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:19.934{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A143503C2DF4D1EB12C23D078831353D,SHA256=986F0AFF6276B2D13A942766C45FF3E19FEFA80F2978422670A48ACC7E351757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:19.634{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB970C58D092D27D03EAAF9EEC0DFF7,SHA256=421C3CCBA89EF0046804FC166D1226C9E3F09F0D920EBA13D8A2B512FC7AA13A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:16.416{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56453-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000971621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:15.813{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58995-false10.0.1.12-8000- 23542300x8000000000000000971620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:19.120{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B5BB64F17F7B15ABEF3F4EE8A115E61,SHA256=369E4C3550EFAA5A412FD4FCB22F7B386CD9725365A9DCA4D11653B76319C3A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:19.120{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFA6FBB333E42E4E7A7C4E5B28B79648,SHA256=83104960C07239D5CEA4E540E3B4FE08691AEEECBF090946E363512AD3E30DB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:19.058{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F29E1B5AAEB529685F1BD0E55BE52A1,SHA256=2BD6F3297D6275F5CD209C1BB7CDCF0BD2A24D675396C4F9ABA55CE3695F8C6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:17.172{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58695-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:20.649{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=597CB4BEE7CA2F9229CDCE80E2342637,SHA256=CE0E64AA66B5C44813F3F490F2A906403400921C49A09ACD3877D2D48F8F4653,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:18.810{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65266-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001042266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:18.329{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59552-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000971625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:16.885{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com23212-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:20.198{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B5BB64F17F7B15ABEF3F4EE8A115E61,SHA256=369E4C3550EFAA5A412FD4FCB22F7B386CD9725365A9DCA4D11653B76319C3A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:20.073{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDDC86DA279DCEF2D5C719D72A280D17,SHA256=913F9BE92C7E5F4A9C44A8B7DBE23E69ECDA420EC24F90B0F49089DD12400CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:21.723{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB82401617FF1B60EB9F31704D019B1,SHA256=7BE641FA9AA6B5F28F01EE478B31EB64B0AF047391AB1DB80C85F22B799A7CE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:21.089{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDB8CC2FB91F93A5D25649BD2B138DD1,SHA256=FBCF5B16F5EDC2E94D1558E5BB8A6D04F3E9FF4010E9E530A579B43F07DFAB02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:21.567{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F1AD29F16A24BE1B8FC34B3B7E5CF87,SHA256=F0FE94860FA86A5B206E575650ADD1387B7F7C058131188653A6153DF81DDBA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:22.732{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7545F7C95E00A0586D5A6ECDE5E155C9,SHA256=5A1BDCEA435B152265673274A782F37321BA95EBFE515B8E8A58E411FF6C4005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:22.089{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4A65FB99F507D027569DCA40667A010,SHA256=B6D65811E48F713E99DA03C4205E5ADAA2592A8796E239BD416F60457D93270E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:19.930{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com27326-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:23.748{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=589C83623286170819BB4076C8AA5E8E,SHA256=E8060EAA5F2CCB4D4089393C6ADF75959057EFE0EC58EC07E1690C2952DE9CC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:23.089{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E062A9B606480A016961D4FE4C3CDBD,SHA256=CA63966F09C562FB4B07A2D3431261FA0D4DA3DE9253C5914BA45B929F69E023,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:21.931{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59291-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:24.768{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C18B84DB281379176178E338748B3155,SHA256=BC2DAD15202CB56F05C052C08A169EC12BBF08C2246B559ACFB369CB8E326CD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:21.719{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58996-false10.0.1.12-8000- 23542300x8000000000000000971629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:24.105{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A780B3AD2165A767FD86EC43B0269FB9,SHA256=9DAF1006411B63841B6E06E37513C8A812F094022A8D9EC821F8F313260DFCC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:24.749{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=032164A8203C84B252F73B52896DA699,SHA256=D88DEA34E1535925ADE1BBAC84F81FE7C1C87D619E265CE2F16D9589E07A16A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:25.770{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11F3D704494FFB8E6C8F167860BFE0E0,SHA256=FC6FA7CD9A62E93B0EA7541B9D48736E6134327F85152DB38DB920F3E1199265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:25.105{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C67AA99CDD9EF7A8EF1407FA5ED6EB4A,SHA256=9FDF52757D1C1C00B58BA2CF66DE2C863E6AAA58E4161A5A2C1EBAE00B19CE14,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:24.778{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65267-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001042278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:26.816{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1059A10DF1438B815BEF495A3281ECC2,SHA256=D1EDD6C1F6D8D0E5C1C89CD2C89E4C01EDB1B7E376CD63D8E969CD33FC150D46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:26.886{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-833E-6151-DF78-00000000FD01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:26.886{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:26.886{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:26.886{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:26.886{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:26.886{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:26.886{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:26.886{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:26.886{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:26.886{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:26.886{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-833E-6151-DF78-00000000FD01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:26.886{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-833E-6151-DF78-00000000FD01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:26.872{69CF5F33-833E-6151-DF78-00000000FD01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000971649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:23.406{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64007-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000971648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:26.402{69CF5F33-833E-6151-DE78-00000000FD01}3208104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:26.199{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-833E-6151-DE78-00000000FD01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:26.199{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-833E-6151-DE78-00000000FD01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:26.199{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-833E-6151-DE78-00000000FD01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:26.184{69CF5F33-833E-6151-DE78-00000000FD01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000971634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:26.121{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC1EE735CA13364121E9228ABA7CE29D,SHA256=AC8BA2276AD26FD06C135256976C07DB16E6A3DB6A11C35664AFC86F91B47068,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:26.121{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=353C5E15E05E28C9C7B05852A15A70FE,SHA256=AF737E121A952F4014952AD3616C4C30D7F91809D61CAF6AAE32F51C4DCBFD97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:26.121{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CD4BFE33A703B444CAC6F436835741C,SHA256=9731C8CE790CF9A47BAE5B0D5B24C402A74A85446C974795A8E89EF80B91E1BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:27.884{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=753BAD08B81FBAB98344137B05910662,SHA256=FBFC4278E4817B28C5726B775318FB7291287668AE8635A907049F7ADDD497EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:24.704{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64955-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000971678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:27.511{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-833F-6151-E078-00000000FD01}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:27.511{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:27.511{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:27.511{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:27.511{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:27.511{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:27.511{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:27.511{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:27.511{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:27.511{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:27.511{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-833F-6151-E078-00000000FD01}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:27.511{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-833F-6151-E078-00000000FD01}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:27.498{69CF5F33-833F-6151-E078-00000000FD01}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000971665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:27.496{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFCF841EBBADEC8A733458BA9C00C215,SHA256=92E3D3D12D4EB448140AC7F0B232C7A1F6B3F052F711054BD9050D2B3C808506,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:27.496{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC1EE735CA13364121E9228ABA7CE29D,SHA256=AC8BA2276AD26FD06C135256976C07DB16E6A3DB6A11C35664AFC86F91B47068,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:27.058{69CF5F33-833E-6151-DF78-00000000FD01}13563484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001042281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:28.915{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F242ED527F080AAE6A2E0B497E42E317,SHA256=1B9A7995F1D99400431976B9A91BF636CB3168C97032301DD4E1B81AA7AC2310,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:28.808{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8340-6151-E278-00000000FD01}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:28.808{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:28.808{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:28.808{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:28.808{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:28.808{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:28.808{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:28.808{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:28.808{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:28.808{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:28.808{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8340-6151-E278-00000000FD01}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:28.808{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8340-6151-E278-00000000FD01}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:28.778{69CF5F33-8340-6151-E278-00000000FD01}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000971695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:28.730{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=693DB9126BF5849806A67B0374389DF3,SHA256=69657F2568F2923606652CC3FC41C7635C6CCCA76CF4C7690883CA8394E7E960,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:28.636{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0DFD22531F73EC1106809B75805D90,SHA256=0E1244B24C7ACD4847D5F6350676A6F753FC7A2EF5957722985B0C07DA1BF6AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:28.339{69CF5F33-8340-6151-E178-00000000FD01}20283224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:28.199{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8340-6151-E178-00000000FD01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:28.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:28.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:28.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:28.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:28.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:28.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:28.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:28.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:28.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:28.199{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8340-6151-E178-00000000FD01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:28.183{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8340-6151-E178-00000000FD01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:28.184{69CF5F33-8340-6151-E178-00000000FD01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001042282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:29.929{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F492902F31C42733EE3805DC578E0E0E,SHA256=B89FA61BD964EE723E56BB76916FDB07FBC0C622B3C69A3BAD72DAB0D764F021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:29.917{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03EF6FEFE8E3554D3E816BA94D9327E2,SHA256=14959E20DEC9C375D12C44435D9BEB2F45EBA7E21544110CF4FDD3B4C7744BF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:29.652{69CF5F33-8341-6151-E378-00000000FD01}2416716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:29.496{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8341-6151-E378-00000000FD01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:29.496{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:29.496{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:29.480{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:29.480{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:29.480{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:29.480{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:29.480{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:29.480{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:29.480{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:29.480{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8341-6151-E378-00000000FD01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:29.480{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8341-6151-E378-00000000FD01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:29.481{69CF5F33-8341-6151-E378-00000000FD01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001042283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:30.944{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0814107DCCAF4B7B32B2C1A6F865CFB,SHA256=1B4FA051CE6B1ADA94851A4DEFBFF1E3C44DE93BE55811E5209CE8E62D24D59C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:30.917{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58A8ECF1DA2476ADD46ED556067D5DAF,SHA256=004007BAF1B7527D62CB567EFEC5568629756271A75EA379F311852627D19C66,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:27.687{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58997-false10.0.1.12-8000- 23542300x8000000000000000971724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:30.011{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F25C52370B6F9D987B3ECB0F87C43A5D,SHA256=7838767F5100A96AB5A1B7AF46C13A0050464D3F2BB9DDAE5EE8E961C30E2021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:31.961{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EECEA2471018D9BF39794DC3424804B2,SHA256=BDB1BCA4A7B93C0FCBD36A9B1973FB41F70FA018A27A96633B66B0ADD64586B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:32.980{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=315E7A52B9A4B4E3AEF2094629589AF6,SHA256=D0EFEF4F1753763B3A091083615BF8F031D894776749F3FA391079E4673F5DC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:29.889{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65268-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000971728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:32.292{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=24512BD2E06B7965138EE5F478112CDB,SHA256=C994A58FD77110AC091B9E7BDF6D45A8DEE00AF69EF71DA0DB2687D834995720,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:32.136{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=132007DC37B78732E84ABCD198DA15E2,SHA256=C0C8C1DE600E46A6FE361C0068F0D9720F25E75D84BDDF92C20C553CBE838351,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:33.199{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8166113B9DB78C6B75C5E49759014BB1,SHA256=E534C91A88841FE50EF4DD256DA63C35DE74C6358389DA2B0ADEBE6D0B2E2E37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:33.811{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=401944C6CE524FC6C580C1D9A540439F,SHA256=84EB6DC9281F416EA02645E21F22AB5ADB663D440ADDD312C924C04A4150A3B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:33.811{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C3F18688DDF48934BEB12DBD17BD2E65,SHA256=B915D6B2786BCE596BC86F214D14FA6FFC1B53AD373FB16D750FC266D16F2906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:33.580{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=624B1DB607F4705B9746E51EBCB825E9,SHA256=37CF8AC1EBD09F4CE9A0BC019DDA400D8B0ACA86E7A1453E321DBA1563805528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:33.580{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D89A7383243EFB73350BB19677E13322,SHA256=2DD9A30E8DD0B7A347569EE69F5D8986103A9CC48BB9F4C213EC910CCF628CCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:34.214{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B77A4F3C9A7032BB37B8761DF641C4D,SHA256=4006AB8F95DCB7DD3E1583BC9F966D172B88DE84357CBB072C5EAD294E25B45A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:31.935{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65430-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:34.011{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D182BBA949B468802568B8F69CE184F,SHA256=C7198AD1317AB1F228D7947E853E881DB10204E9732C832A87084CE2C0ADBC07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:35.808{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=017217437FD8C05B608409F3547408E0,SHA256=88970CDB72B2797A8EBF2B15E9D0D195E5B516A7BA38CF90BF1A5CA7BCB7648C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:35.808{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E5F16431C82ED7CC430FA7E5EB9C55A,SHA256=6F04E283DACBE8326979E30915BA2FD902D854D42B975F9395B4480CA55844F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:32.890{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58998-false10.0.1.12-8000- 354300x8000000000000000971732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:32.218{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49929-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:35.230{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9134E994CD5B251C71060522B845FC9,SHA256=8765C4304EE6404DD312C1BE9B1DCCAECAF419FF26FD6DFEFE09F2B6D7E4C226,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:35.878{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:35.079{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA9DA808C34A857806413477B27EB44,SHA256=6A8DFC7DC043E4723B1520AF8E75216A0EC0F14C600D2B2B11AC85F6C750E54B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:36.230{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=133C8F7495F67674E96D23CFB02E6FD8,SHA256=1B934C613FC238853A4A37E80EF31A1BECF246E4D340EF6FBD1E6FBA8C7574D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:36.094{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=672EFF15BAD62075966A303BCDB2B521,SHA256=3CD5367822E72CDF554A44F985B269C02A5EEDB040B6DC1E76067AEED10C9FB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:37.230{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D07088C959B62BFC74A73AAC65F0FC,SHA256=B2761E9977FB70B4EC21CB4C85017F83A859399D64344DCFBE0B3618D330B459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:37.824{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=624B1DB607F4705B9746E51EBCB825E9,SHA256=37CF8AC1EBD09F4CE9A0BC019DDA400D8B0ACA86E7A1453E321DBA1563805528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:37.140{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17C6DEA1DF09A737020130D62CDCEAF7,SHA256=D3D2CE370B5BD20539DFE873AE493AF69FE8AA3708B6C941FAE3281065BD5A9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:38.449{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-834A-6151-E478-00000000FD01}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:38.449{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:38.449{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:38.449{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:38.449{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:38.449{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:38.449{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:38.449{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:38.449{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:38.449{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-834A-6151-E478-00000000FD01}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:38.449{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:38.449{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-834A-6151-E478-00000000FD01}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:38.434{69CF5F33-834A-6151-E478-00000000FD01}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000971738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:38.246{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F4867395EB0F712485AFBB94709AA2A,SHA256=4C6B7AF92FE477B87BAA0D3B4026375ABA4331EB6481B5857674890673B3D5E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:35.929{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51675-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001042301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:35.892{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51657-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001042300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:35.785{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65270-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001042299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:35.548{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65269-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001042298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:38.161{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37D49CE78583194D8161B2C3ACD2E0D2,SHA256=F501EA09AD3CA1451A661399A1173681AC05B7DC8D3760FF522146A038173AEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:39.178{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED32B3C46D5E4644B840595C484FFCB,SHA256=6505F84CE6F142AB2C14226177133034646E72F92F670644B291EFEEA2A2EC5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:39.667{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=017217437FD8C05B608409F3547408E0,SHA256=88970CDB72B2797A8EBF2B15E9D0D195E5B516A7BA38CF90BF1A5CA7BCB7648C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:39.261{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1A7F43C52F6257A688E6AF090D49CF0,SHA256=F7BD2390C116C5223BB0AA1C2D7ABCF7524745869E9DE576D56C7F270CBF5116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:39.009{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C78213B7995C6785E3F1B24E93382227,SHA256=717BEF71858DEA9806531E6DEA458AC142B57E3039C314878F8A61943DD15BA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:40.193{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97950E3A31AE3E013B7CD6D357350EF5,SHA256=BA56CE03B1F8B596C2E96B7C856685FFB3C4613F02CF325E0E48E9C5ED01680E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:36.784{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-64839-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:40.277{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70B4795882446F4CC2E65CFD9B2F2D28,SHA256=1825FE83B6BF1FE58DE7A3992E00965489EEE5C730276A54FCC4C88DE25DD911,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:41.357{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC87C5771A18FD21AAE45D8D8418458C,SHA256=1357C7FF3A2CEA1B209A41A9B50C51E0C5B635F860109A460796D30DAF5F5675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:41.207{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4411E8059335F0F3D9105CB2CDCD40D,SHA256=B3C7AA522A160AD4C52E42A158A10F9638D7557B60F32ACC26F85D63063D7AC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:38.812{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58999-false10.0.1.12-8000- 23542300x8000000000000000971756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:41.292{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C044200A07C64AB80D25CB30D071AC4B,SHA256=9541C0D04313E9FD79CEC971CD797F545B725AEE99584B36064659BD3A6C0876,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:39.705{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60835-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000971760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:39.352{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54468-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:42.298{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=765498D0DD78A5EEBC43D120CE924711,SHA256=EA668B3E1D9C88BE5C10EF69DB63210F658CB178F0499B626A9384B1FB8BA147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:42.376{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=21048697798CAAB3FCB78A3CA75D7E7B,SHA256=26E9600A39AA9C7AEA63B6E5753090BA11CB34403BA98CAE06CBABB52EE9DD2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:42.376{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=0958159513C1BA0F7CC17D7677A2B9BE,SHA256=EBC446A7E0C18287E331F6E470BB09FEF5AA4D425B651B4E466376E2A88B71CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:42.376{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=ACB806F7FD4EA175E96F33CB0EC294D7,SHA256=4B14B3E96CB79AB9CE8452B09CB81EF607592FFB4E8583626F28EAA56865C44F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:42.376{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=71F63AE1C5A696FE9F32E777552C9AB4,SHA256=C702544EF25AC5CE95CC7693FE8C11DC03D8FF8D4F083928E11D7701B44E5A5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:42.376{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=47908B49833FF20132FFCB067CB0E04F,SHA256=9EABDCB15EBE3D3AECA62573BE6B22B1B8152B74E1DDF046447718FD71346DFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:42.376{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=C38B3586D3E73F88AEADE4EF4B31A142,SHA256=E4403E63142A32F6DC386F7ED675ADA3B9689A3EFCD9DBB4E6EEBABC18FAFFBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:42.260{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23E37815AE5361ED08088A8621C83895,SHA256=7A32558531A2FAA652F7701EA93105A952FC7B76997CD3ECECBAF5C6DF9BDF11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:42.173{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEE1A96CE79A629489CA0228EC9326A0,SHA256=0A21E641188E5B09ED9E78278F2B795F60FB2ED19CF97C0B4D992C7FC28E29C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:43.314{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD36E8E34F37B7CF4A8E1FA2AAEB94E1,SHA256=FC75D7C8409DDB05B2E7EE5072807AE0A31B79DA8060F4D277D4152AAE657747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:43.276{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B434C0512FBC243FB2E5E557BB237F9E,SHA256=EACD2EFB05F74E31E5A3E25391F17DE88B40F673B113D9F538A65F066207EF61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:43.210{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4276MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:40.900{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65271-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000971762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:44.330{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F0557300B8F124AA3C798AFBF6624A,SHA256=BBB2A018B6A710ED5D612F33A83CFFF9C2290B95DF91AABBCA36745167CE0D77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:44.391{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14ACD1D15D7324C389A3DDE6D8FC9182,SHA256=F6042BE58F053E19375660F0BBB66F1A5F070D02C6FB0D65B2F84D8EBAF1F693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:44.208{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4277MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:45.539{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8351-6151-3D79-00000000FC01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:45.539{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:45.539{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:45.539{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:45.539{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:45.539{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8351-6151-3D79-00000000FC01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001042332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:45.539{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8351-6151-3D79-00000000FC01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001042331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:45.525{5EBD8912-8351-6151-3D79-00000000FC01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001042330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:45.477{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49CBB87D3212BD6DD3416DA04D78D908,SHA256=7722F8F93EEC36E9003E557A955207A7665D15106EFE8A6944F9C860AA17E015,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:45.345{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=454F768805BA3A5042059679C163801C,SHA256=28BD2005F2321049C7018476D1E5DCB09B273244CAF4A3209540924C4CE227EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:45.208{5EBD8912-8351-6151-3C79-00000000FC01}67722280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:45.022{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8351-6151-3C79-00000000FC01}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:45.022{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:45.022{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:45.022{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:45.022{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:45.022{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8351-6151-3C79-00000000FC01}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001042322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:45.022{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8351-6151-3C79-00000000FC01}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001042321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:45.007{5EBD8912-8351-6151-3C79-00000000FC01}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001042348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:46.537{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1159D24E9A34AB8B781660F527902EF6,SHA256=00551CAAC0406E00AA9B1CCDE8B8CEA268644238BEA9C85B26E38C2FF7CD4EB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:44.172{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57454-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:46.345{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3911B7D97728BC89F71A830DFF9B9B3,SHA256=76AA25C349E6A98A5E8DDCE8F2BB9D2A44970AFBEE21920614544F5EE4CAF3EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:46.145{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8352-6151-3E79-00000000FC01}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:46.145{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:46.145{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:46.145{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:46.145{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:46.145{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8352-6151-3E79-00000000FC01}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001042341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:46.145{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8352-6151-3E79-00000000FC01}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001042340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:46.130{5EBD8912-8352-6151-3E79-00000000FC01}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001042339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:46.014{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=150DCFDF1B0BC435EE57E67CBE649402,SHA256=A21C7C672BACD4D3BB8E9E4A9F88CB7FF18CCE97828E9E6CEFB6B3BF4E3C96E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:47.555{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B62730AED8ABD4C9B2F35641037C78,SHA256=F58251AEF34520E1874C1C96051C937E8743175E54CEC3800E27DE2E22C82AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:47.361{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0669842D73D36E70F801DC848C4A8B80,SHA256=617E0F97195F8D9C2B54EE09DCE06EBC9778E529C53A18DBC3694999CD60F0DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:45.704{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57779-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:47.155{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=413035D63F951B4A32F0AC24D2FC2FEE,SHA256=45F55458DFF56FE48EF71793D2F2FC9024C6C54F837FC2B5F8F4026EF1EBCC73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:47.064{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83FF2CD951643060B291A45D233B001B,SHA256=EE8B2A7936407AF646236627D6C06CC8BAC93D64820A65BA1EA551B70E65A036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:48.638{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1A3AFDC1054E44C38CDFB75B1E27B28,SHA256=E1520476A642C5EC34124EE5C334DF60EA0792F7AF288F32CFAB6035B8F0AA5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:48.798{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D4F8F151E41884B7AFD7DD08C1F1B90,SHA256=7811A842DD50FBAE388180BF3CF6D426E97C32EED94B8217A952760F4846ADBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:48.377{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E9D7630270F41D663725FB971D88A02,SHA256=21D8EA432DADF692697546CEF7C729FA1F64EB639BF6A42A6D4B4EC1C3628145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:49.653{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=341B257ACF0622722F611AC58673F573,SHA256=85EA0D2F708756D60027A46C35AD045B6755FE5FA1F47452434CE803B647AA5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:49.939{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FAD53B790C229605E30D0CEC97A7081,SHA256=16D9C08F5EF9E49515A49E9D21CD08885ADECD677B2A1191BCC19CC72C37C3E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:49.377{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=470BCD7E4F61B73D56325C85DBDA7964,SHA256=3050DFC0C3AB87E6DAFDF18EA6E6E3C257238944AF9031FF85C25BE9279B1642,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:46.828{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65272-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000971770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:44.803{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59000-false10.0.1.12-8000- 23542300x80000000000000001042355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:50.668{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D045EBF8D26D31AA3E4DD3162AB9AD6B,SHA256=F7531B4BC31D286186B9E467CDE0FC275B0CE51C75D4F298F5597E4FCBEC806D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:50.392{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC766CC499D3DC88F260C593F2A40FB0,SHA256=D932C9900524D0C5DCB2E5026BB7E07F2E1D1AC2F2E73755F89620D9E86A75FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:46.411{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58834-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000971773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:46.077{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50199-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001042356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:51.683{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F76C9DF6115F296BA677020CB3208494,SHA256=518D53272B243350C6A90730DB41847AA7DBD6DBA47CF844BB523B221328666D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:51.408{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=565B267BDACF1AC51DD88E9E7D02498F,SHA256=B68418D79213A6ED39E2406E41E0AA5F67D5CAFFDDCD7C5AECCE090C4AEEF8D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:52.423{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CD942687A7E308A2056E28F66BE79A,SHA256=B6B79CF583E52FF64AB7C43C578707EF0057B9F12AD56867F28FE1D1DD889DAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:52.683{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA0762D641DE24579C2AFAADC47C20BE,SHA256=DB35ABB7501B17259E6327590C84F68543183F1645E527D7620073C55E4B860A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:53.714{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2FFE2AF758E3D2A065F3123E697F8A,SHA256=E4AA52FCB5B1FB1C4A0BFF97621402873E25DDEB0A26C4C83440B3E9AB3BBFE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:53.439{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=719EC415D507CE6AAB3DB237E382507A,SHA256=5BDED909EC67B4150F1B2EC77D582BB15B4FABDAA5AE2C9051330CC016D23AD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:54.916{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-835A-6151-4079-00000000FC01}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:54.916{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:54.916{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:54.916{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:54.916{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:54.916{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-835A-6151-4079-00000000FC01}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001042372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:54.900{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-835A-6151-4079-00000000FC01}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001042371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:54.901{5EBD8912-835A-6151-4079-00000000FC01}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001042370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:54.885{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07FAAC2BBF1C31A5D0CBD36CC2450A0B,SHA256=BD704C9D97CE13E12399ABB3091C57EFDAC6B53CE9AD57CE07362028C3CE3BA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:54.885{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFBC5F98180616465ECA5BE9F7B5E7C1,SHA256=C487E0F04810849A41EC64A9490124C55AA961D58C4A43F1E77158D7196EA5A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:54.754{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5257A9C52EF428D65C18309CEFF8915B,SHA256=03E70C456D1C9C7BD91DC70348E40955EE2FCC0F1E10E5C4E9870E6E8BD4EC46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:54.455{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BA7DD13E5ABF8343FEAC76EB85D460E,SHA256=45341D7EC1139927B2C21148358BDD254CC6C22201F4C7EEC49FA3FE4D8D108B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:54.699{5EBD8912-835A-6151-3F79-00000000FC01}9005096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:54.383{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-835A-6151-3F79-00000000FC01}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:54.383{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:54.383{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:54.383{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:54.383{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:54.383{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-835A-6151-3F79-00000000FC01}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001042360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:54.383{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-835A-6151-3F79-00000000FC01}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001042359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:54.352{5EBD8912-835A-6151-3F79-00000000FC01}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000971779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:50.787{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59001-false10.0.1.12-8000- 23542300x80000000000000001042392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:55.901{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07FAAC2BBF1C31A5D0CBD36CC2450A0B,SHA256=BD704C9D97CE13E12399ABB3091C57EFDAC6B53CE9AD57CE07362028C3CE3BA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:55.786{5EBD8912-835B-6151-4179-00000000FC01}7564388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001042390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:55.754{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C232AF23CE3EBECE026C6038231E42A8,SHA256=E073813A558728C2A79A05B504B0022CF3FDF121121F28386DEAAA12D7DE12D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:55.580{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E95C8AF0664CE78F1B2F5F9464BE4674,SHA256=FF11475A31A55543213BC2EBAE00A641E8CDD626D03F3C6226FD375B284DC789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:55.580{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B06601A9D038B4DEBB80274B53156F5B,SHA256=D8EA339E03B996279D18CB98FF632E4F53C5E4E851502CF98B449D8DC5C40CF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:55.470{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48FBC6186BDDA4054216183AD8DFD4B8,SHA256=B6071DB4100326AD45FB25BDA75FCB6792CEFD344CCCA3570AB645ED2FE8C06E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:55.602{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-835B-6151-4179-00000000FC01}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:55.602{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:55.602{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:55.602{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:55.602{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-835B-6151-4179-00000000FC01}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001042384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:55.602{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:55.602{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-835B-6151-4179-00000000FC01}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001042382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:55.587{5EBD8912-835B-6151-4179-00000000FC01}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001042381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:55.117{5EBD8912-835A-6151-4079-00000000FC01}68725144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001042380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:53.242{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62359-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001042379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:52.760{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65273-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000971781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:51.617{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de57197-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:56.470{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FAB003C8C5FED35324F8F058D1CB571,SHA256=188D7FDECE8D5431FD1A27B787D5AAFF33BBA6AB952091C0F10561DE1CE83476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:56.758{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2DB3D0B2AE67EDDBF5620D0F843AC07,SHA256=CB37CAFB406A842B79458B6F49CC1A99F7B5DBBA9AAD3F1B692EB424F51B7C63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:56.301{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-835C-6151-4279-00000000FC01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:56.301{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:56.301{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:56.301{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:56.301{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:56.301{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-835C-6151-4279-00000000FC01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001042395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:56.301{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-835C-6151-4279-00000000FC01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001042394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:56.286{5EBD8912-835C-6151-4279-00000000FC01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001042393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:54.362{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com58366-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000971785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:53.399{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63139-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001042404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:57.775{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B38316ED6643D259AFAE5C4B006526F,SHA256=390AD7984C4A9B68EF0067A7C6D8E05603D0924957E42F3C6BD94D3A35668781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:57.471{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8793A4F5F5159714850E11758520C6E2,SHA256=4F32968E5FCFECE1B649A6991304D1E17516F5014ED8898DDCB129F5D5E6E260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:57.295{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=297ADF99A2EE98BE8E7DF64D7954FBC7,SHA256=543CBBF0866D8F2CADEA7AEBA4EDC1640AAEC2E687B3FC7EDD2EF73BD85CEF7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:58.795{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE8432EB45B83E76F04C56F79C37581,SHA256=B9ED30FDAC6ABB7E4C63BC6281CB8F60C4C6CFBE6677AAAB7855C6015C260449,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:58.486{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA1F159CAA9B389DBA821270276A0FCB,SHA256=3F5061B02037D7FD0AA9393B6C65349D453A6A5BCFA8A1698DD0CCF822F59E2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:56.453{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58827-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:59.809{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B692E26D977E71E236238619E0880B6,SHA256=904FCE823996C03F2973904EA30B097CD6934DF1A5E7875CD6D48EEE59338F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:59.502{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7979FCCB27ED06AB03EA0A1834EE62C0,SHA256=C1DA2FE14F90B703FBCF9DD53165221FDDABFD201201B6EDC1899129EFA07F20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:59.294{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A708EFCA542269A526592AF77858F48,SHA256=FE64F63A7CE3FEC6145EE521A67968ECABE2F06C64FE2724958277377DA59A22,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:39:56.756{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59002-false10.0.1.12-8000- 23542300x8000000000000000971790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:00.517{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3521745E9B6CE155645FF41D07E26A1,SHA256=DD6558D58275A443C79A6A94135A61ABF82E08E31B75E71C44E250DA42E6CACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:00.824{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14DCC2F87D8417ECE43D72E3CFC68381,SHA256=4884D50EDC5F71E0119F5549E210F76485B0D92600812251C59AEEB7A86F2ECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:00.355{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BA8AC400C3D9C63F60FCAD5D0353E10,SHA256=71F8DD64DB80041F6225C69EB479D9CFCF9FBE30326D936A22B567B19E745659,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:57.849{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65274-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001042410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:57.650{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59718-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001042409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:39:57.579{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de55802-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000971792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:01.735{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22998018D686110FD029871673080BE1,SHA256=A81925D4E89E7B3BCCFB85CF531966B1849168ED34E49D9192E07803A9BC9067,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:01.839{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9BD97996094DDE5DB8878791DB6D7C0,SHA256=816C341BDC28C91287FDA1DDF7D183EA8CE89E071B6AFE422B5F1FFBE271518D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:02.891{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2342A4D6242D9DC036E55C5E4A3C1FFF,SHA256=98A76007CCE0A1E623AB03E3A33AD034BF72BE435C1714EEEE780626428F6A85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:02.854{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A2ED11395444B41C21F1FF7B46C6524,SHA256=ECF31EBE2DDD994F5F6B166C429519066540A7E81AC724756144B701EC4C13BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:03.872{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6618582AD932BE9FF054DEEF3AFFAC14,SHA256=6FC61C4D2D47871BA9545E78DC1419870A9BDD908D21EAFE3FA2A4D77AFCEA88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:03.672{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=766BA9F95480B2B70271AE7465CDA39C,SHA256=5AF6205171C57559D9E8A7CCD7ECD432D8647F5FEEAEDB42C5CC136EBBC18EFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:03.672{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E95C8AF0664CE78F1B2F5F9464BE4674,SHA256=FF11475A31A55543213BC2EBAE00A641E8CDD626D03F3C6226FD375B284DC789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:04.891{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=895B247B6231338A73EB80A90022F67F,SHA256=5D1F477674B57936935A5AF4637D96517F4CEE4CD1783737D47AF2928109205E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:04.126{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47D34002B686F7590225AF4B6AC6110B,SHA256=C2D05B5976C3192B1ACCB39908CFB37DDA3D932983EC6C550ACB5EF3098CD44F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:00.701{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51286-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001042419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:05.921{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD2DC15B0D852E48CC447D81E1D82DD0,SHA256=04F72CC025299295B09F567CDD60D469925CDE459D4EF0885E72A1E5F9E72401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:05.813{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=766BA9F95480B2B70271AE7465CDA39C,SHA256=5AF6205171C57559D9E8A7CCD7ECD432D8647F5FEEAEDB42C5CC136EBBC18EFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:05.204{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1ECFB102A172FE36B5CF8AD19F9196A,SHA256=01B7C30ED9D651747E413B9955648BBCE8E99989ACC8ADE0C9EA196CC7627129,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:03.783{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65275-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000971798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:01.802{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59003-false10.0.1.12-8000- 23542300x80000000000000001042420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:06.951{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8478DF6087BBE3400C2674016C279BE,SHA256=3F628D0A53C07EC6B89850C322354C2CF33CBC0F926D0D045E83EE003093EA26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:06.938{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6046FF872E1C5AC9838F30F54D565B6C,SHA256=0DDAFADB4E3B4D9090736C0802A7770565B900FF3039F64374A0273FCA11D5A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:06.391{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFF7A5929E9477E2604307BA5857DE93,SHA256=140EE9AAE39809508126B5BB855FFD65DD4C3EDC907995B403150E9D5187B46B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:03.001{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64246-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001042423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:07.971{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B9834EB8397103FCBB1E1DC74C2CA15,SHA256=72FC54D6655AE6EDFEB731D19DDD70F3B5F5043133A4E81813B50519855D72E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:07.641{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:07.641{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:07.641{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000971805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:07.594{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E50F0A335ABB9FF3045663EED554224D,SHA256=05089D3EB82E5FA7D4F0D5FA4AC8FE1EFDF90D96203027AAE62EE3688C0F7E24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:07.470{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C588DA0DE04912B970CF4D9F61134CB3,SHA256=49A2D0769957FAF3D86F576394262985B5C02BE5BD0FE87803A4FD711F342FF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:07.468{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C63E537545A662F720CB246D7C18F7BC,SHA256=E1D69E21D238D9A3E1F49FE87EF184EC853458C83AFC3046EEA1AB51EFF9540B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:04.219{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-65109-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001042425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:08.986{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B58F41D4EE79EB0A1C3A58171DD10B53,SHA256=B9AB0B85D72BDA2D21279B82BE64877F414B693835243427D973DDC708B77740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:08.610{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DACA0E3DB00EFB6B169DD51939FFA55,SHA256=4839899796F467525957F94D8A9B7578167339B1B48F9F6C7DEDBE4E97755A11,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:05.659{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com55473-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000971810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:09.610{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B760EACCB899A590183A038C10D48720,SHA256=AB44B8A5985403EC3CD5A7C45F75396769C52C4155A95F2478EF385A422CDAE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:10.610{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E5A994903179EC28E69860BD6584D4A,SHA256=D9EC7652BE72C31FCEEC19C231A12B0960A62F3BC46056E03C2944BFD566A9E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:10.048{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB3C04732D865D4CB28F6C53C011482C,SHA256=C569B77801045B9C2DF477AC7AA69A512F54B23A6E4CB340D3DA8151BD02463E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:06.848{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59004-false10.0.1.12-8000- 23542300x8000000000000000971813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:11.626{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D1B9B1DDF5D84E61CC118487947BA24,SHA256=0483138245C05AA7B0275614B67A3B0BD4376D1540F04381917CA3D3AF13CD50,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:09.659{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64460- 354300x80000000000000001042429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:09.657{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50853- 354300x80000000000000001042428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:09.657{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50853-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domain 23542300x80000000000000001042427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:11.131{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7802E09A13FC6DBED25A8E261E4151E,SHA256=AEDAF8EC51607651C1F12F10EE0B175012D26B47DDCF888B98F69A63DA206D52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:12.626{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15F02F4368C97CC5AD42C44A2AC5187D,SHA256=9FDD6A547B1EF87FE4DFB69DB9EFD652B161F2EB658F43B139AD70D3D95A2F75,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:09.740{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65276-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001042431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:12.146{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F4EEAB67A4F8CF58D8D03BB6685CF56,SHA256=2B6E6D7381DA1C83B65AF248A38183E3CB522BDCE40FA837823DA7B7C8F8BB35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:13.766{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F261E5EC60A1506F09A91D0F4F5F1B07,SHA256=6E52CE8B4DFD59414F4FE6A6554D461338782D59353883872330E4C6A3C72A87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:13.766{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E69819A121DA3F3EA84483C5163F356,SHA256=7253457560C862AFED8A5EDA0A545E3632EA1B224D030AF3B4728A9776EE3426,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:10.958{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-52244-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:13.641{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBF0D5E700BA4C2E98B39E4B0BCFEB93,SHA256=27BE49D5220FFB8C798DFFCA8C50DA02E056FA521D67103707A27FDF7A8A430A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:13.182{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A26E24389EFB9B4EB96D994D20258305,SHA256=CDACE1EB999F93F30EE63D6D6E7BFD00EF32B66C58D431B493963D2FE1EF8683,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:13.001{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:11.630{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59005-false10.0.1.12-8089- 23542300x8000000000000000971820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:14.657{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4F41F7C5BD21FCB07FBD78A32581FAA,SHA256=90D5297B6E6B43F54EE6E72C99301909EB4A95B752F1F940399C0C8C57A8B3A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:14.246{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3083BB2833374223E1E88C9A010CDAA6,SHA256=39BFE29FE209D0431274213173394AECA3B8CFCF6B4D69BC0BB538B4D99F830D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:15.673{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA0C682FB7863213483096682ADFCD8,SHA256=6E4B0ACD094DACD3DB1683FAC39D3233ED457354BEF7FDF3F9C1035BC672A104,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:15.247{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6DA2C5A2FCDF16B941181D3E263F7C,SHA256=D2C132499885A5E4021C307BC89CA83B89587EBEAA4725640A203BEF86CBEAD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:12.754{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59006-false10.0.1.12-8000- 23542300x8000000000000000971824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:16.683{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E11FE49C9D86AE067D2052D32F950CA4,SHA256=872CBA6B4AFFE5B76E91FEEC00DCB62EACF03A16A2142A2FFC1AA82C79288ABD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:14.907{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65277-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001042439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:16.467{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37C0B629E872DA4A12A7543679F33E76,SHA256=EE97D6A24A2C42A6FA313286F578BECA5DC4CA58F18DD410CAC4B44D64331D2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:16.319{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4277MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:16.466{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001042437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:16.466{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001042436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:16.465{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFfb1511b.TMPMD5=352C435B3CE2D46DA95030085FEDAE9E,SHA256=E5EB3E29608D480D7D17D96084EF9DE6A1C767EDB2841811456C66C71F701B63,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:15.706{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65278-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001042444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:15.706{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65278-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001042443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:17.529{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF8BE4C20C8380E63B6BB4BEF3EDAF0,SHA256=B1AF7DDE5381612FF3719DF93A6263E111F92A9F9F5F33E575A2928EB8095EEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:17.697{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07197422B7F183190D1CC56AF928AE46,SHA256=FC7EAB64D184B55E9DFDC3F7B361F462CCF1AE9EF1EC6705A5547EF2943F4B20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:17.325{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4278MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:17.029{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A8F3ECE8FB1FF7E7D73467E9302A0E4,SHA256=0959960BF15FEB5A14902AD7B39CCA1A79E83F66AF5DF961684149D2DBEBC6C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:17.029{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C588DA0DE04912B970CF4D9F61134CB3,SHA256=49A2D0769957FAF3D86F576394262985B5C02BE5BD0FE87803A4FD711F342FF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:16.661{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60713-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:18.544{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C2341B1A58A46D61DF9ACB118C42A0,SHA256=455265127F20C4108BFFC8152ECB32DA68807BC8B6C062D93D5A34136C31ADEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:18.699{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E312074F1505C6E3CAAE1CD244F6D778,SHA256=8081D68F946707F7790B74D31BB5B42D4B1D0DA72A208931D476EB40CA949663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:18.328{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A8F3ECE8FB1FF7E7D73467E9302A0E4,SHA256=0959960BF15FEB5A14902AD7B39CCA1A79E83F66AF5DF961684149D2DBEBC6C7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001042453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:19.760{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\AlternateServices.txt2021-09-27 08:10:19.712 23542300x80000000000000001042452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:19.759{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\AlternateServices.txtMD5=49EF22F41316F5F666CC43352458D88C,SHA256=FF80ABD91A9FCCD1C4CF6E5A9C6B94E0F9E928F2F7AA125F676F1C778D6E25FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:19.712{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AE481170394A8289434D9D201E7BF3E,SHA256=0A638D1685FF480BC1598756A6DDF21169008E648677F095CA0FE61C81D79F39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:19.700{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90A823238D088AFC2C665BEF27887C00,SHA256=0309D0B87402E85E7A675C162C86A67B5AB80B1504EFD9318C133FE12941F4A2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001042450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:19.343{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\SiteSecurityServiceState.txt2021-09-27 08:10:19.295 23542300x80000000000000001042449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:19.343{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\SiteSecurityServiceState.txtMD5=CE30C1F0D806629675E3C1281C7461D7,SHA256=563562CDDB4C2874C051C76A68A7268B4BBB9C607969019C9B4BD647DFFDE304,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:17.892{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59007-false10.0.1.12-8000- 23542300x8000000000000000971830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:20.715{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E09A18931A8834D33AAE28C76E738FBF,SHA256=2E4DDAB88E7C046EABBEF7ED3BB10CC31486B8EC5EA9BF28D9126586EEDC6295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:20.848{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=416A129DBD1B09093C1013FD4DD17B67,SHA256=831185DC83E0B0B05944820099EE2F58C8669D8691B84E29805E9509B7A5D278,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:20.846{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:20.846{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001042457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:19.210{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61023-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:20.727{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11EFED912DB731CF015A604BBFB07559,SHA256=F7A31B60348D0893A8BCC850830216AB418A63073B589487301231E112D30B66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:20.527{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B8A-6151-4778-00000000FC01}7088C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e4901f|C:\Program Files\Mozilla Firefox\xul.dll+e3814d|C:\Program Files\Mozilla Firefox\xul.dll+e395b4|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8 10341000x80000000000000001042454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:20.511{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001042525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:20.431{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-429.attackrange.local65311-false142.250.185.170fra16s51-in-f10.1e100.net443https 354300x80000000000000001042524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:20.397{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65284-false104.18.8.111-443https 354300x80000000000000001042523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:20.394{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65283-false151.101.129.26-443https 354300x80000000000000001042522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:20.393{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65282-false104.16.122.175-443https 354300x80000000000000001042521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:20.392{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65310- 354300x80000000000000001042520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:20.392{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65281-false142.250.185.170fra16s51-in-f10.1e100.net443https 354300x80000000000000001042519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:20.391{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64462- 354300x80000000000000001042518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:20.391{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54514- 354300x80000000000000001042517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:20.389{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50031- 354300x80000000000000001042516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:20.389{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58684- 354300x80000000000000001042515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:20.341{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63164-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.741{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=280475D5F92ABFC83A917AE5D872AD04,SHA256=C8E9E1F68A7CC0E82DFF3AB6E08AB41F0662C84E9908D23CA29C7E44402C5DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:21.715{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34C4DFFC812AFD9919FD819F9B3D8867,SHA256=D8305323ACFCB684D51D62B2CC7D6B25FA01935F11198C3E241A3AB4CE3D50B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.657{5EBD8912-7F30-614D-1100-00000000FC01}4041624C:\Windows\system32\svchost.exe{5EBD8912-7B8A-6151-4778-00000000FC01}7088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.651{5EBD8912-7B3A-6151-3A78-00000000FC01}71206188C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a02441|C:\Program Files\Mozilla Firefox\xul.dll+a63798|C:\Program Files\Mozilla Firefox\xul.dll+ce8b1|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+173c649|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26d8a|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.637{5EBD8912-7F30-614D-1100-00000000FC01}4041624C:\Windows\system32\svchost.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.637{5EBD8912-7F30-614D-1100-00000000FC01}4041624C:\Windows\system32\svchost.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.629{5EBD8912-7F2D-614D-0B00-00000000FC01}6241764C:\Windows\system32\lsass.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.629{5EBD8912-7F2D-614D-0B00-00000000FC01}6241764C:\Windows\system32\lsass.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.614{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a52a99|C:\Program Files\Mozilla Firefox\xul.dll+e415b8|C:\Program Files\Mozilla Firefox\xul.dll+19d7315|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+19a2909|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x80000000000000001042506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-27 08:40:21.614{5EBD8912-7B3A-6151-3A78-00000000FC01}7120\cubeb-pipe-7120-5C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001042505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 08:40:21.614{5EBD8912-7B3A-6151-3A78-00000000FC01}7120\cubeb-pipe-7120-5C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001042504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.604{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000001042503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-27 08:40:21.603{5EBD8912-7B3D-6151-3B78-00000000FC01}6180\chrome.7120.12.148343683C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001042502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.603{5EBD8912-7B3A-6151-3A78-00000000FC01}71206788C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+1b5a9c|C:\Program Files\Mozilla Firefox\xul.dll+a0c416|C:\Program Files\Mozilla Firefox\xul.dll+a06fcf|C:\Program Files\Mozilla Firefox\xul.dll+19c3d4d|C:\Program Files\Mozilla Firefox\xul.dll+19c2501|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001042501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 08:40:21.603{5EBD8912-7B3A-6151-3A78-00000000FC01}7120\chrome.7120.12.148343683C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001042500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.600{5EBD8912-7F30-614D-1600-00000000FC01}12681316C:\Windows\system32\svchost.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000001042499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-27 08:40:21.600{5EBD8912-7B3A-6151-3A78-00000000FC01}7120\chrome.7120.11.177605588C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001042498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.598{5EBD8912-7B3A-6151-3A78-00000000FC01}71203088C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+133dab|C:\Program Files\Mozilla Firefox\xul.dll+121475d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.598{5EBD8912-7F30-614D-1400-00000000FC01}1104372C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000001042496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-27 08:40:21.598{5EBD8912-7B3A-6151-3A78-00000000FC01}7120\gecko-crash-server-pipe.7120C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001042495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.576{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=051B5AD9CE94B2F558992B62752ED2A2,SHA256=C064699D4E67634377C1D1CE54AB52501C433C303CFC67E930A699EA50658952,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:20.243{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65280-false104.18.0.145-443https 354300x80000000000000001042493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:20.182{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65279-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 10341000x80000000000000001042492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.555{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e3a3a2|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.555{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x80000000000000001042490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.555{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x80000000000000001042489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.555{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x80000000000000001042488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.555{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x80000000000000001042487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.555{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x80000000000000001042486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.552{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x80000000000000001042485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.552{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x80000000000000001042484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.552{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x80000000000000001042483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.552{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x80000000000000001042482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.552{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x80000000000000001042481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.552{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x80000000000000001042480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.552{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x80000000000000001042479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.552{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x80000000000000001042478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.552{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x80000000000000001042477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.552{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+e3a04c|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001042476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.552{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+e39fc3|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.552{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+c1485|C:\Program Files\Mozilla Firefox\xul.dll+e39c9a|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.552{5EBD8912-7B3A-6151-3A78-00000000FC01}71206788C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a0040f|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+16620b4|C:\Program Files\Mozilla Firefox\xul.dll+19c2585|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.544{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.544{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.544{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.544{5EBD8912-79BB-6151-D077-00000000FC01}46122872C:\Windows\system32\csrss.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001042469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.544{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.544{5EBD8912-7B3A-6151-3A78-00000000FC01}71201744C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f04d|C:\Program Files\Mozilla Firefox\firefox.exe+2e255|C:\Program Files\Mozilla Firefox\xul.dll+1fc619a|C:\Program Files\Mozilla Firefox\xul.dll+9fbdfa|C:\Program Files\Mozilla Firefox\xul.dll+9f9fc5|C:\Program Files\Mozilla Firefox\xul.dll+a0123e|C:\Program Files\Mozilla Firefox\xul.dll+8ab830|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26d8a|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001042467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.544{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7120.11.1776055885\511443567" -childID 6 -isForBrowser -prefsHandle 3596 -prefMapHandle 8556 -prefsLen 15777 -prefMapSize 235573 -jsInit 1128 285716 -parentBuildID 20210903235534 -appdir "C:\Program Files\Mozilla Firefox\browser" - 7120 "\\.\pipe\gecko-crash-server-pipe.7120" 3972 16e73b31f38 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5EBD8912-79BE-6151-7ED6-4A0400000000}0x44ad67e2LowMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x80000000000000001042466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 08:40:21.535{5EBD8912-7B3A-6151-3A78-00000000FC01}7120\chrome.7120.11.177605588C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001042465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.525{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io^userContextId=5\idb\3547115956fbiDreegbaarsoetLSolc.sqlite-walMD5=8628E01DF6269D337C81B57AD92B9E08,SHA256=DA03C4C680409EDB83C15932AFA25DA0A1586465DA868C8A277507D57A730A84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.524{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io^userContextId=5\idb\3547115956fbiDreegbaarsoetLSolc.sqlite-shmMD5=E0C6BC56246E04E3528F924CFD0B10C0,SHA256=797910FEF270FF24EBCCFEB41952DBC6ED892D9A3F586099441E230898CF163C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.500{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io^userContextId=5\idb\3547115956fbiDreegbaarsoetLSolc.sqlite-journalMD5=F48622867BA148E6D7AD6729F26EBDDC,SHA256=62651DB6184FF918EAF42ECC8CF1AF3304F17137EBCF5797430DD3FD3280418C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.492{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io^userContextId=5\idb\3547115956fbiDreegbaarsoetLSolc.sqlite-journalMD5=6B0DCDA0B5CB5931556A7E39B9837B35,SHA256=1B0822F1315D760806B4DFA7FC1A63B80ED69A252D17ACA496C7621F6E9252DA,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001042461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:20.700{5EBD8912-7B3A-6151-3A78-00000000FC01}7120unpkg.com0::ffff:104.16.122.175;::ffff:104.16.124.175;::ffff:104.16.125.175;::ffff:104.16.126.175;::ffff:104.16.123.175;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000971833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:22.720{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB559067BF583AE2C955FA6E7845D7A3,SHA256=F308A4A7480E39D3D436621BCDE8B8B1447FF99E35DB4F202EAA8701919D811A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:22.779{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C107DC16CB7224A3935DF739B831708B,SHA256=B609800AF4C56187C501A76C3FF7B21F3480309FDBB99EC4DBF1F0B879D33F39,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001042532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:22.072{5EBD8912-7B3A-6151-3A78-00000000FC01}7120www-google-analytics.l.google.com0142.250.186.174;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001042531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:20.704{5EBD8912-7B3A-6151-3A78-00000000FC01}7120polyfill.io02a04:4e42:800::282;2a04:4e42:e00::282;2a04:4e42:400::282;2a04:4e42:200::282;2a04:4e42:600::282;2a04:4e42::282;2a04:4e42:c00::282;2a04:4e42:a00::282;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001042530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:20.702{5EBD8912-7B3A-6151-3A78-00000000FC01}7120unpkg.com02606:4700::6810:7baf;2606:4700::6810:7caf;2606:4700::6810:7eaf;2606:4700::6810:7aaf;2606:4700::6810:7daf;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001042529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:20.701{5EBD8912-7B3A-6151-3A78-00000000FC01}7120unpkg.com0104.16.124.175;104.16.125.175;104.16.126.175;104.16.123.175;104.16.122.175;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001042528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:22.547{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F98E0E187852A50961CDF23A0A29BB2,SHA256=8277100B0596AFA44790F11F968A04550B7A405FD465FD9E71A11CF514EB51B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:20.839{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65286-false104.21.50.127-443https 354300x80000000000000001042526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:20.788{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65285-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000971836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:23.955{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE69D7378DD7C49EF58B57ECC52C05DA,SHA256=551F7B7B9310C6BBE17617E7C807A3467882F8F80DEE71ED3A3509667C8DB5D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:23.955{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F261E5EC60A1506F09A91D0F4F5F1B07,SHA256=6E52CE8B4DFD59414F4FE6A6554D461338782D59353883872330E4C6A3C72A87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:23.736{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF5C74D7158A526025144C7D7A5F6E71,SHA256=E665132B8DE75254CE3B06189B7B523C5353F7661355511DC66227717F85EDAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:23.833{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007CEB29BBC10BB20710C5B12A178A4C,SHA256=194170D8AA515F12707263339F736B2C31551F833A93C3EE98FF2DBDE11B6976,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.763{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65289-false104.18.9.111-443https 354300x80000000000000001042536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.682{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65288-false104.18.8.111-443https 354300x80000000000000001042535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.198{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63676-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001042534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.130{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65287-false104.18.9.111-443https 23542300x8000000000000000971838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:24.752{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5121EF54DF18171AF811D7BA845613AA,SHA256=DE73388106A6E978FA0DEF54A396A76C33E227DB6F37D4AD0EBEBF63D91A6E4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:24.844{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FE46CA675ECDDDB5612431028731B46,SHA256=F7DC915A169BC1BC3C9FCDB897D6CE2909379C5FBFB6BA33DC651A4F49EEA546,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:19.754{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse110.10.193.201-58108-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001042558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:24.659{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\cache2\doomed\7247MD5=C2E3991221B947FC9B4DDE9E18DABD37,SHA256=E9D5D13240063599FC591810ECFF9829E94FDFF608F8F7AF23A0C591D2F37F00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:24.490{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io^userContextId=5\ls\usageMD5=8C76267DEB754BBB1F7A9A798D626A9A,SHA256=7853ACB32A99B8240BE46B33DAE3D1E92C61CB16693E1FB42400F779401B5113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:24.488{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io^userContextId=5\ls\data.sqliteMD5=7E626701CDF0B302BCFEDB51D4076952,SHA256=0BCF2A2D9A4647955572D1958C7B83D2AC8C78643BC2D612B963DE391046549A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:24.488{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io^userContextId=5\idb\3547115956fbiDreegbaarsoetLSolc.sqliteMD5=44215605BAD770C7793DF78F03F7A7A8,SHA256=D237159FBB4F9FFB42669F68B29217B6C9D0DD97A07EC33AABBA9A2B9552A8A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:24.486{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io^userContextId=5\.metadata-v2MD5=0F04AE4A085BE8C64F2579473F198DA7,SHA256=746891664B38D3015C51D4FFCC65E1E6BBB84BDB17F710EA92C3205833BBA7EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:24.480{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-walMD5=EEC4FA640B573953BD605E8C236B5040,SHA256=B85180CED4D137889A39465436E5C0103B86C2DE1F0002ED8797424EBA9F5941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:24.478{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-shmMD5=6AB3EFBAD985745080E7C063C09874E1,SHA256=04E2E82DB63D8A0DDDE606F4E9455A5F81074FC960FB182AE1820CB10B461900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:24.464{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-walMD5=C212E893DAA23CBB8E80FFA70785F63F,SHA256=4ACDE27B0BB92E572BB60D6C4A6C591B477E8AA27D0E03CAAEEA0BE3B336DB88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:24.462{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-shmMD5=580304A1D91E08E007CCA3EDF5A8E30B,SHA256=8848C74F92C2407DA413EA5289088FCEB7F9CD458BE16513A469C68BB75AA21E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:24.458{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io^userContextId=5\ls\data.sqlite-journalMD5=968974A00A7C1F5A38E25C0ADEE8752C,SHA256=6B490D273574DFA1E0CDD5D64874EDCFFA0B3EB08CE1B1E6E8EABD17D325A6EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:24.436{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io^userContextId=5\ls\data.sqlite-journalMD5=AC79C704FDDAA2F12D2063CA7D8E7126,SHA256=FAD38A41458915A6B9E19363101A91B0C55B310B26F3ED9F9C410498ECF04149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:24.424{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io^userContextId=5\ls\data.sqlite-journalMD5=96DC5A7C6486388A904A17C675BC656A,SHA256=530B3651C812D0869E07A049B7F9166E0707D8D6979E7E87333A011CC4D88096,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:24.418{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\protections.sqlite-journalMD5=AC57F4075D3BD5ED921B5303F4959929,SHA256=DAED407B6B58DBC2A449FE3953F77178CA317D637DE91B4E6658624DB2732C89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:24.410{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io^userContextId=5\ls\data.sqlite-journalMD5=AD11B2055394FF849BC6ED1E67260FBC,SHA256=8764156C365EF28FA06EC2BB29BC5C99CE192E3435173693448647340062DF3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:24.406{5EBD8912-7B3A-6151-3A78-00000000FC01}71206188C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3E-6151-3D78-00000000FC01}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+2461028|C:\Program Files\Mozilla Firefox\xul.dll+231e7d1|C:\Program Files\Mozilla Firefox\xul.dll+231a7aa|C:\Program Files\Mozilla Firefox\xul.dll+316c196|C:\Program Files\Mozilla Firefox\xul.dll+a80850|C:\Program Files\Mozilla Firefox\xul.dll+ce8b1|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+173c649|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26cc2|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001042543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:24.406{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io^userContextId=5\idb\3547115956fbiDreegbaarsoetLSolc.sqlite-walMD5=C9B8F6355803D340DB5417840F287CB7,SHA256=7F00B53E4F218933E16623120DA868A89BF0C5C0EA62FE271BE62A87541FFD13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:24.404{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io^userContextId=5\idb\3547115956fbiDreegbaarsoetLSolc.sqlite-shmMD5=F8F480745EA12425B8CE27158D6928E0,SHA256=9A76E28391C0BA8F2E80B1C849E6ED793BD6B7CDC37F81759BDA0BC61ED2C109,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:24.368{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001042540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.926{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-429.attackrange.local64462-false142.250.186.174fra24s08-in-f14.1e100.net443https 354300x80000000000000001042539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:21.905{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65290-false142.250.186.174fra24s08-in-f14.1e100.net443https 23542300x80000000000000001042561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:25.920{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C16682662D9F76EACD70676CFD624ADF,SHA256=86F6ACDAA85CDEB5E2B51D24E0541CE2EC37C4739D81673C9C6535CB432D05FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:25.767{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B47D69C5FACEF13648C9C14C9040CFE4,SHA256=3BA01FBD3849DE2595D18A93050F1AD08ABBD52333F42B8307B94335C826A3DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:25.504{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\cache2\doomed\7358MD5=571637E4DC11DA3F38489902F5367713,SHA256=A166ABCD31BF21762709BE594ADEB01E69CA5D0C9939F00901DAED2744F94D19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:26.939{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE69D7378DD7C49EF58B57ECC52C05DA,SHA256=551F7B7B9310C6BBE17617E7C807A3467882F8F80DEE71ED3A3509667C8DB5D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:26.908{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-837A-6151-E678-00000000FD01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:26.892{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:26.892{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:26.892{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:26.892{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:26.892{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:26.892{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:26.892{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:26.892{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:26.892{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:26.892{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-837A-6151-E678-00000000FD01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:26.892{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-837A-6151-E678-00000000FD01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:26.878{69CF5F33-837A-6151-E678-00000000FD01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000971854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:26.783{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D6643ADA7D287043438B449E485621F,SHA256=E23EDA1AF50CC7694758DAE408AF1E9A24D6E5AA04BE20A0AFE68DE236D99C30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:26.925{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5F742DDC5BDAA8588D31809E81FAE9,SHA256=4B127076980E8652E4D606E7C64FFBE643F5A7A199F3FEF4EC7A306390B701CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:23.586{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53367- 10341000x8000000000000000971853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:26.392{69CF5F33-837A-6151-E578-00000000FD01}3236580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:26.205{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-837A-6151-E578-00000000FD01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:26.205{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:26.205{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:26.205{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:26.205{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:26.205{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:26.205{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:26.205{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:26.205{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:26.205{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:26.205{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-837A-6151-E578-00000000FD01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:26.205{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-837A-6151-E578-00000000FD01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:26.190{69CF5F33-837A-6151-E578-00000000FD01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001042567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:27.945{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05C1AE16A37896FAB7C5038C6B39D381,SHA256=9634FF7D2A7BF2743B7D4F6B1559B1CB58CCBEE4816495110A0915AE50680FE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:27.580{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-837B-6151-E778-00000000FD01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:27.580{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:27.580{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:27.580{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:27.580{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:27.580{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:27.580{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:27.580{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:27.580{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:27.580{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:27.580{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-837B-6151-E778-00000000FD01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:27.580{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-837B-6151-E778-00000000FD01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:27.565{69CF5F33-837B-6151-E778-00000000FD01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000971872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:24.574{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59009-false10.0.1.14-49672- 354300x8000000000000000971871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:24.011{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49805-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000971870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:23.865{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59008-false10.0.1.12-8000- 10341000x8000000000000000971869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:27.096{69CF5F33-837A-6151-E678-00000000FD01}22643844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001042566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:27.812{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50FC0A0A8C9343EC216C7E127236F970,SHA256=9EEDC6F4699E26874FFDA8B23A08163E883AF753F68C4E2B16BA334B2F131756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:27.812{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=288D372E16E701CDFC36577E5410782D,SHA256=F7B1A50D0ECD74E4EEAB316A3055D2448698712C5274F5C93B82F7E034E5A713,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:25.631{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-59009-false10.0.1.14win-dc-429.attackrange.local49672- 23542300x80000000000000001042569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:28.959{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C39D22C6D6C3361A47FD9D2EBF21E19F,SHA256=DF833F062D536FCD6CAFF997888CC884A820FDC46DEB6216B5DA1CDBC2F20B26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:28.720{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-837C-6151-E978-00000000FD01}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:28.720{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:28.720{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:28.720{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:28.720{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:28.720{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:28.720{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:28.720{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:28.720{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:28.720{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:28.720{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-837C-6151-E978-00000000FD01}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:28.720{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-837C-6151-E978-00000000FD01}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:28.705{69CF5F33-837C-6151-E978-00000000FD01}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000971902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:28.564{69CF5F33-837C-6151-E878-00000000FD01}212912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000971901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:28.345{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89E0B830D05318B4CC06316627E9C071,SHA256=9D41323BA36ECF3248BCF5EB7E58B1D69D7AB6BFC8A0E95539A0A59D1486DD7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:25.628{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50403-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000971899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:28.142{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-837C-6151-E878-00000000FD01}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:28.142{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:28.142{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:28.142{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:28.142{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:28.142{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:28.142{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:28.142{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:28.142{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:28.142{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:28.142{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-837C-6151-E878-00000000FD01}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:28.142{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-837C-6151-E878-00000000FD01}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:28.100{69CF5F33-837C-6151-E878-00000000FD01}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000971886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:28.095{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B5E7358E1B9796EE6A1419A2260A8B,SHA256=2BF1EBAFA0F2634FC8FB6AD0BD613CC8B00126CD885454A583F620ECD77F5843,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:26.266{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de56292-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:29.972{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=647901A573E3C477D9812EE947B8EAD1,SHA256=6E4A1DE12F43ECBF5DD5AED2CBF73BBC0A1A11668632C78401167D2CD51E3CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:29.767{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B37E84DD2E6E2480489E31D68F6D6E9A,SHA256=EE76226D2F022692E270AC03150D75A8419A33FFCFCF4839670D57BACC0FEAEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:29.642{69CF5F33-837D-6151-EA78-00000000FD01}22522836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000971929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:29.580{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6215C84B692193C4B2203F4183B95324,SHA256=5DC0DB16D7C3DE7C104C6CFCD63C354183A8B490A3DCE0F21BCE3A28E839879A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:29.408{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-837D-6151-EA78-00000000FD01}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:29.408{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:29.408{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:29.408{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:29.408{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:29.408{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:29.408{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:29.392{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:29.392{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:29.392{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:29.392{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-837D-6151-EA78-00000000FD01}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:29.392{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-837D-6151-EA78-00000000FD01}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:29.393{69CF5F33-837D-6151-EA78-00000000FD01}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001042570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:26.735{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65291-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000971932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:30.658{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF15557F409E46F33E8FA1689638F75,SHA256=46AB272D126922D0A5C65FC3A5413D594493224825A07D8BBB4ED9D0020AD230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:31.689{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D9D22F4264866AB6BC8232C378CC3F1,SHA256=06BCD43E26BEBD6BAFB3EB530228F687F19D2D6100E95CA14CE9312861085155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:31.689{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D53D758407FFB28833437762A7638F,SHA256=37325EFE0B133CF74549BDF2B2587980C7CE52D9276CFD4B4DAA6510049B7DBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:31.190{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=596403799FE1578EB9E480E7E6D1C338,SHA256=C859DA8FB9B22DA30A3064FA5E02D0492256687C545FFEB43E882704911195E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:27.433{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de54305-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001042575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:31.132{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:31.132{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:31.130{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001042572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:31.076{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50FC0A0A8C9343EC216C7E127236F970,SHA256=9EEDC6F4699E26874FFDA8B23A08163E883AF753F68C4E2B16BA334B2F131756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:32.830{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F50130365959C31699E344366C0CDF,SHA256=431402E4FF6A5BB8B98E4885ABB5D580CDF6DF6FE371ED83C85A60F9AC9E63B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:32.664{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:32.662{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=3BC1C40EC9ACB8EFA84C1C45F2D8087A,SHA256=CF0888351493E809546223063F38BF47D990B6B77028B994E13AD170030615E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:32.203{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82597D0413815401D223D0477B92699E,SHA256=8A0C4E4B30BF8D9CCDD7D3BE43A5BAC4832C68756F7FF5EDABEDB3522972E85F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:29.708{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59010-false10.0.1.12-8000- 354300x8000000000000000971937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:28.808{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52897-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:32.298{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9B16F64056AF837C34B095007D0E37F3,SHA256=83CF8C56F8CAB1E3200E007AB3C633F4D7C8F1B25BD4B17E309FD8284824C0CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:33.830{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C30C85BFA5F13BF07EB4E0223643B9DF,SHA256=DA86F7F7913ECB5B731B84E3EEB41D7CBFD24ED24D180B61393A82E2B34CCD67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:33.207{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AED81B15CE4E4F5972385A9CAF0EB74,SHA256=D2E755A8F24E23B1A73C6DDF8A3419AE6A2BF85005DCC0EEBAB25146E02F498E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:30.164{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53688-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001042580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:29.879{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52910-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000971943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:34.845{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59E43E7797D939F1FE74C3F87780DBBF,SHA256=5C0B87ADA6C2623290E472E2CA4B693BE4F328688BEED599FCDB3D37E99E4E04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:34.222{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F2F291C2C7B145C2E3A8A4E9B7AD36E,SHA256=E9367419287A1EBA7B58225196393AE79F9D410EF8103BDFF42CE8FF064BD143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:34.080{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=723F9C02BA6F05B882D129F67A4645DB,SHA256=124DD904B1E25F6047BB270EC58526A05D1252F7C9274E3E19AAD6FFB24C98A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:31.781{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65292-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000971944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:35.861{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA90F39666B3D297F1F45BB46DE5DE60,SHA256=554709FE79C87F128EE1F81D7A1BAF0623B2332548F107C3124AFA5C12C40C27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:35.897{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:35.246{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F048D18F50452E64E4F9626FE6D977,SHA256=9E9F8D46AE1BD0C66BB800043895ADE2FAD7F4E24975CBC2339FEA28D788EF92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:36.877{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7954E20C570B31BEE14AA94EEEAB23ED,SHA256=5305B00E5BD09BB9AB974257F3528A3EC7FB978E7015089B6910B3437AE59192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:36.786{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D708C5E5B0BC5A17280E460305D3613,SHA256=2E40C8A76C29535BF4BCF60C567C53B061A19C10F48D80D6DE02046815378A2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:36.784{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C3F61E6324BE9F0DA8435CEE7D53BAC,SHA256=51D0B923EB9329B749EDB309A76FBC5B2C28B8ABD0AD76A2DF1ADC3B519940D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:36.484{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD697B4828312CE21B7282A79886A6E,SHA256=DD6443A4E342D2FF9DBC7817D11F835EE224B93CDBF885E9D4773230EC993F2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:36.404{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=86B639412B3303F16225F368F1A2C4F1,SHA256=D0BB7A4B38B05A9011CF8637C87BD4D0621E028C91B7A16644017B0FCB331184,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:34.406{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55659-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000971946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:37.892{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=746FE7AA157CBC21242226736C849EC7,SHA256=7DEDEFD120968085FD1FD5157F6CC4812BA560CFE87E69B4BAB0FCC09ACBE26B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:37.492{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4687203342D6A2AB211FB1F7EDD6AF75,SHA256=10C094BB8E4EDA3489C63E4CBB0973BC73FA7195EFF67D68637C972FA310ED12,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:35.571{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65293-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000971961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:38.892{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AD7210BFF7FBC29100A5CA3BA0B283D,SHA256=E3AAA2DA074FC121656BFCB29F0DC0632913BA175B68969EBAFE96C0260069A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:38.789{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D708C5E5B0BC5A17280E460305D3613,SHA256=2E40C8A76C29535BF4BCF60C567C53B061A19C10F48D80D6DE02046815378A2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:38.498{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D68F62DD2E25BA00034F68774A5050B,SHA256=E453A73EDA322FAC9007988A329CA7F0EFBD54548679BF21D819EE4112273468,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000971960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:38.455{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8386-6151-EB78-00000000FD01}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:38.455{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:38.455{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:38.455{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:38.455{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:38.455{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:38.455{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:38.455{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:38.455{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:38.455{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:38.455{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8386-6151-EB78-00000000FD01}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000971949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:38.455{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8386-6151-EB78-00000000FD01}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000971948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:38.440{69CF5F33-8386-6151-EB78-00000000FD01}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000971947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:34.724{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59011-false10.0.1.12-8000- 354300x80000000000000001042593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:36.105{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59010-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000971964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:39.908{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E18219EB2ABE521475DCB937BC34F79,SHA256=E7BD086497D4704323EC567B92A25DCA17882BF463004AE7AAF9B33B0917B4B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:39.510{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D54C7B1752557F7786F5B9B7046EC23B,SHA256=35FDC16E4845EEE90051D99C1832AF4AD3DB305AF6FDC029C358F6ECE88CB417,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:39.455{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=661F5CD532A3F8DE87BF993155CEA044,SHA256=0B7C4054C27F43F5AF5B9FCCE8E9193D9A4CF2CB3CB2F8520F3DD24B865E3005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:39.455{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6898E1ADFE3047294D6B39FF0715003,SHA256=CC24F435278CB7144E1A5D15887DDDF72D80E6B18AA061CD51B1A23169BF8644,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:37.176{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59824-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001042597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:37.105{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57362-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:39.011{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2C6C5080A353539FCEFA402AE892F0DD,SHA256=45923B63664D65F30451D3B1CF0FF4F375060A935B45FA49E011DA7621600520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:40.923{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=705E28C558493281695ABF3924C95006,SHA256=5E66C8C8A80590CA0DC64616C0EE3B198C872F0957EF2D893B8228CDEE167E4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:40.732{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B127ECBF3DE89C3E8AEB846B0EEC266,SHA256=0AC08AC1F6EECA2F2120C9668A8C6AE4F71AA55AAD491828C020AA1A73078C5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:37.397{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58211-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001042600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:37.751{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65294-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000971967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:41.940{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8AA259C971BB04D25F03E0C3B5ECDF9,SHA256=42A75B30F281728D536DF9E14BAFC3220A1AF43D3FD86853773D9C161AF09118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:41.774{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF4F5FC331931DFD12F5F22692C5F5E8,SHA256=FCB2441EF70B752724C68F45A0FCF69B5FA2E4FAF107D1017092F66B57B35DA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:42.828{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A6F1528FE44B8C159C0C26269A061AA,SHA256=F19F4873745AE9580AD1314CA7B6DA2F81ED4CFDCCA20B55F62962A1EFD6F3CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:42.940{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F1A1BF7E8F21C73418BEE4EA1EDD6B,SHA256=D7FB53A21809F77B53BC0198C686C8947365BAD220E515A69012EC652767691D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:42.768{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=661F5CD532A3F8DE87BF993155CEA044,SHA256=0B7C4054C27F43F5AF5B9FCCE8E9193D9A4CF2CB3CB2F8520F3DD24B865E3005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:43.968{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A82A3933F35322FDED1BBD9B4AC8F670,SHA256=520D54CDCAAD4709A36CBAA97D07E5590D0197090887131E5D449176B7C018A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:43.956{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1F215009884B97002090952C12D6AE1,SHA256=AC751DD68025ECBF9B4255E6CE28EBEDC1A34BDEC2925C616DD721D735D0D6FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:39.833{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59012-false10.0.1.12-8000- 354300x8000000000000000971970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:39.178{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com26569-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:44.971{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D774DBE8249DDD06A0D659B81FA262F1,SHA256=4AE417A413F95C054A0C7D4353E8AB811A3545FAD75FFD11578DB51A8D3010EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:44.729{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4277MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:42.778{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65295-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001042607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:42.120{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com30416-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:44.359{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=894D9B257D28811D7CCE28668C272257,SHA256=F1DC8C9E008A5E33A2E12B8DE18D6F6E325B276B125462D4E6E9A87E4C15B8A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:44.359{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE379757917236EA6D5A96950670EEA7,SHA256=09A4997B2781AAF5A90B37F25A5D292CA9DF990B1D707B26350796B19E5DD559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:45.971{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DCD58F617D2362E77D6EA3C60232ACA,SHA256=342FA5DC88DA0E0FA4D8BCBDD8EDA7B84980EAC55B9998B419AFC68D96CD13C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:45.743{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-838D-6151-4579-00000000FC01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:45.740{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:45.739{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:45.739{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:45.739{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:45.739{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-838D-6151-4579-00000000FC01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001042622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:45.738{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-838D-6151-4579-00000000FC01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001042621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:45.708{5EBD8912-838D-6151-4579-00000000FC01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001042620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:45.734{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4278MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:45.224{5EBD8912-838D-6151-4479-00000000FC01}52124504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001042618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:45.190{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6129FA98F235888084A19AF88125F3A8,SHA256=DDC13CB4E33740F1334885C16B8576BA6C800A41244A41EF479D027A1A16DE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:45.159{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=202FA0704ADBDEC8789217626CB896B3,SHA256=B5A974B0CF794D3CDFBC9536B61B11FBB7BA8A67E399E5C6EB45B1E38A1418E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:45.042{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-838D-6151-4479-00000000FC01}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:45.036{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:45.036{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:45.036{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:45.036{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:45.036{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-838D-6151-4479-00000000FC01}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001042611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:45.036{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-838D-6151-4479-00000000FC01}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001042610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:45.009{5EBD8912-838D-6151-4479-00000000FC01}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000971978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:46.987{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4816397E6DC6BC9E95064F734BAE81D,SHA256=0A673A82C13F0E2AB03AFA319EE061EDE4FE35C0B5A5707F998B9B7FFDC3DB6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:46.514{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-838E-6151-4679-00000000FC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:46.512{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:46.510{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:46.510{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:46.510{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:46.510{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-838E-6151-4679-00000000FC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001042632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:46.510{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-838E-6151-4679-00000000FC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001042631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:46.485{5EBD8912-838E-6151-4679-00000000FC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001042630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:46.206{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC3C995D584A553A5BA6BEDAA622195,SHA256=26AF1AD1F4738FD7C18538D46A0321762FE41D57517CE5D231E3963813E1D5F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:46.330{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84582BE4FF341A7C2E6941D0A82CECA1,SHA256=A2F0E5CEECABF0CCB27EA806FF039250ADB75F2F314A1F9E357A4CA0D8849D41,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:42.472{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64416-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001042629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:46.018{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=894D9B257D28811D7CCE28668C272257,SHA256=F1DC8C9E008A5E33A2E12B8DE18D6F6E325B276B125462D4E6E9A87E4C15B8A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:47.487{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B69A9F22E94B5A5E8DBC8F713E0AB702,SHA256=9256AF62EE55C9F43355D667A337D69C9E185E1F86C71E29FC4276FEA2C17706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:47.222{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF2ABDC78B1BA5FCE107E194B1800FA9,SHA256=AA4ADC71DB7BDAFD96A6EC8D13A2C873123FFD5C191F364704408E6702215BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:47.581{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C93034D6BB5494376330A1DD3064D266,SHA256=FC40F35320D35906E3D7FCFA35AA5C71A07185BD4B84BA227CD31C38669DA6B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:43.600{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-65314-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001042641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:48.239{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F4C6430A0FEFC4A247EECC173976BC0,SHA256=665E23663FCDF276FB7D4A7F47AF43B3BFF9160EB11501854D872E924206F91F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:45.819{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59013-false10.0.1.12-8000- 354300x8000000000000000971983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:44.804{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62865-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000971982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:44.707{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62797-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000971981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:48.002{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=211FC1CFA43D6DDE95EE3321B6BB031B,SHA256=0D4DB5F4930D1C8D78C6AC5353CB55FBB0BC27917E82A9720BDD77B64D8B2546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:49.351{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28709534AF175F0CA486B4FBEDC04585,SHA256=24B8C4EF55BE0A4C0E4C46BABA427E8DBAD7670A406F94A24BAFAE67C5FA00F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:49.002{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4E3C4F3B3B52A91732FD5457527580,SHA256=8B6E6F8A56C9F05CF788A559BB9A2857AD089DD75BB471665921896660F7CB5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:47.886{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65296-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001042643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:50.359{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B81700F8EB7C4D685552CDD9E71647C6,SHA256=3716867F3530DE1505BF30122FD25D46A0EC1DD7B6595577DDB3095E2209FE97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:50.018{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9ED02FE49693B81735383A31730489,SHA256=A80C8D037693DC3E3FE4EFBDCC10AAC9A587DCC0DDEA412479CA14BEA183C60B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:51.362{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A87CD40EBA93877279EC904802CAC2FB,SHA256=7C59506756A38C79CB04E51A109BEB278B8AF15833309C032E13A768AD48FF21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:51.018{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26D3093CC2AECBCA63245DA128883768,SHA256=5D66FE3B58543C609B8AD77FDCF76D3EBF0CB65AE34D06A95D6C18B9CED5503F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:52.375{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4BBD7CB214924CADA5EAACCB186911,SHA256=ACF5B5266F3850C4E01BACFD4D8F33ADFB4DC3C2DA568345E9DAC55F2558EA2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:52.018{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FD00EF2BC34B05B9F66F6EBE2B90052,SHA256=BB42586E021A1B4D9AFC48277E0EF5A29280372F320779C04DFCD9198DA020A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:53.375{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96FC06D7AC284C22DE612910CD7E4BE1,SHA256=3EE860AE1C840EB516CA732BC8A1AC23910D361270A04A1E898A6529E53584D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:53.034{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C0CC7768E7EA8CAD5259006B458A3E4,SHA256=B4683F972D365E44EBD782BDC5D52DBC9D37D98E994FFD019F3A1BDF8CD636E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:54.591{5EBD8912-8396-6151-4779-00000000FC01}31644156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001042656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:54.406{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F1667A0B529D25DC8A0E7E15A9C8DA3,SHA256=1283363839573CE289EFD93B2FFE79C311FE9508B4AFC31FBC290FC5CC4DD56B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:51.773{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59014-false10.0.1.12-8000- 23542300x8000000000000000971990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:54.034{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFFB20F05331CD873888E75B7F3B9BE3,SHA256=51A09FD56F2782E6B8E32AEEBE01855F209417A1F885810EE3A0DB6F4AB0165E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:54.391{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8396-6151-4779-00000000FC01}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:54.375{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:54.375{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:54.375{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:54.375{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:54.375{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8396-6151-4779-00000000FC01}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001042649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:54.375{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8396-6151-4779-00000000FC01}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001042648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:54.360{5EBD8912-8396-6151-4779-00000000FC01}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001042678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:55.759{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8397-6151-4979-00000000FC01}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:55.759{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:55.759{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:55.759{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:55.759{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:55.759{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8397-6151-4979-00000000FC01}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001042672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:55.759{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8397-6151-4979-00000000FC01}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001042671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:55.744{5EBD8912-8397-6151-4979-00000000FC01}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001042670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:53.898{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65297-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001042669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:55.428{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AA17DB0B38829609D8891935FBA4108,SHA256=9AD939146E120D44911E856C790FA1B6FE143FEE32F05FFABB7D555C80AE5E6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:55.049{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69DE330ED2987905F5C173249866A371,SHA256=4E8BFAA859FE83EC331A6918634AC4302019F025860254364FAD1F9B311450D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:55.375{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=619F848B775C8C4E678BAEC32496C644,SHA256=C23C70C62A395D3705FCB51C8F94E0D196C1284983C8B2C916A22895E8464B31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:55.375{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEA058169576D4D2E80EC24FFE687BA6,SHA256=2046F64D860B7A47CF070F84B614785F137E36E7FBD2F868F4B43B65F84F82BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:55.243{5EBD8912-8397-6151-4879-00000000FC01}48284428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:55.059{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8397-6151-4879-00000000FC01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:55.059{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:55.059{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:55.059{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:55.059{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:55.059{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8397-6151-4879-00000000FC01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001042659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:55.059{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8397-6151-4879-00000000FC01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001042658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:55.044{5EBD8912-8397-6151-4879-00000000FC01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001042689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:56.759{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=619F848B775C8C4E678BAEC32496C644,SHA256=C23C70C62A395D3705FCB51C8F94E0D196C1284983C8B2C916A22895E8464B31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:56.659{5EBD8912-8398-6151-4A79-00000000FC01}41326232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001042687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:56.443{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA1849D3D25D0600586E4A948A9BB4F6,SHA256=4AE688F72EBFE45E82C3BA0BC9901F2B6A05C0F9AAA8EF7C0C86652F242A1DD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:56.065{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EB34F87B83774D74C8B5858BCCFCF7B,SHA256=197176E7F380210C831347374BBD604AA84583E87C4706EEB7C388A3D7DCC147,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:56.427{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8398-6151-4A79-00000000FC01}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:56.427{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:56.427{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:56.427{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:56.427{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:56.427{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8398-6151-4A79-00000000FC01}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001042680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:56.427{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8398-6151-4A79-00000000FC01}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001042679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:56.422{5EBD8912-8398-6151-4A79-00000000FC01}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001042690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:57.474{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771B4B50BD8105E8BAFF3F4B6833AD94,SHA256=ADAB8E03FD75E94BEE1190B72E68BBF8C54009DF986983C1ACAD954534D37EF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:57.284{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=257E7C2326FC963746B365B277679635,SHA256=21523384A20AE6A6A68B66DA5CE74F845D5466444DB75837E983DDBCC59A0C75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:58.393{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694B3029EF25167F447E82379AEF406F,SHA256=A3176E5E5F02F07C6BB87AE3C78F68604BFAE5CAA69D26D776CDC72156998282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:58.489{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2DDA72ACB8BE3776DF5EFC249556B53,SHA256=05C45A56A0098B0BD26F5A4F1CBC3D4CEF79A9B1FC90110837181540E1AB1464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:59.612{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7773545A006BDAD49464ABB0516455B9,SHA256=44B7983CCA82B2CF7DB10D678C7E157DC6F488C6E885C84ABE496E8E53AB25B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:59.493{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED55A7DC7E82E778C4837E0345CD12F1,SHA256=4D33751608CEE73BECD4CDEEE1544E39D6CA4C5B33C70CC48A6D69696B13E898,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001042694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:40:59.493{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x80000000000000001042693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:40:59.477{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Config SourceDWORD (0x00000001) 13241300x80000000000000001042692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:40:59.477{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_C073BBA9-345E-4F58-AADF-98D983B75502.XML 23542300x8000000000000000971997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:00.846{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E4FD23EA716D8B5C4E759F3232F8961,SHA256=1468D7876B328B1665C5F9AC12861A3FCC62594B27C0F777BD32356D2478254D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:59.187{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65299-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001042701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:59.187{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65299-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001042700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:59.170{5EBD8912-7F30-614D-0D00-00000000FC01}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65298-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001042699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:59.170{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65298-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001042698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:58.811{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61317-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:00.525{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D020755346A9F0B5FDEACC7CA56B0F98,SHA256=EB0926A36CDB6E405052D9981F9078C5B620998F1E2507A1EDF98832B826FB0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:00.460{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3DED2C2F6B04077025341BF1D355CCA,SHA256=B4B0AF7360202959259FC16E9D2713273628D51E97B52F3C77C88E79C43B177C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:59.936{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65301-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001042705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:59.199{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65300-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001042704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:40:59.199{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65300-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 23542300x80000000000000001042703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:01.560{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A6AEFD086C02FB338516B20A17AFE04,SHA256=66AB9CFD29BF64ECA948BD77CC590528675D879E6AB0FCA6276080731278DF2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000971998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:40:57.725{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59015-false10.0.1.12-8000- 354300x80000000000000001042708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:01.240{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56030-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:02.591{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D1862DE96520BDF510DD06989FA7D6,SHA256=9F596ACAB744E5A27108146D57B5997A9E54D5FEA75A1FB75A4C87C83C5F3303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000971999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:02.007{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D3F2C16E228E5D3EA8A1A31AAEA145,SHA256=8CE19640D100D30873F261B7D16FDC1B270F169D7CFBD527FC29051540FAB564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:03.592{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B74E2B3C0CE6FDEEE6B4232125082C4A,SHA256=0A2BF0A00545CB7399138D312936ED988B1016ED4770FF5C2A4F5A122379DB17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:03.132{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F5F1C8BD75304F62A5F8D0BFB19C2BE,SHA256=112A13C76123FE404CB335B61B044262006F6B45366B11A67C1CD441BDFF12BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:03.106{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C384C20812B068EFCB43866DBF207A0C,SHA256=943EFC2D205055C39B384E6844E1D5A55C4328B572414D52B8140B9E0F0CFE27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:04.626{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9442A8236108E2946E119C245EA024EA,SHA256=1B59AE6BB919EF63ABD2DB6555C89BA19F082D712708B1742940E4EA1740ADB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:04.147{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD17A1D4F76CB5F0F781DD51DADBC0F6,SHA256=78BA50D12DB0E3766E38F2D0276E45DC3925F055D8B8BB2D09150FC70CE280DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:05.646{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=086BA37FAA6BDB2674597B87E9B4B276,SHA256=79107142E2C3ABAEFC2E75D907D9A8348E2DAE399B029D383F4CC805A549CDF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:05.147{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFA6DBA15317D74342CEF20871FD9D28,SHA256=458A4169AA38363472EAD0C398BF73292D0259BA62498FC83521D083309FAE01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:06.661{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F736B5A5A7948A8BF279CCB8F3E5B51C,SHA256=9F96D20279194ACE5E21F04E8395AE10C48BD881FD044EF42A91579F88EF89AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:06.163{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD1B60B28553A4F8AC34ABC4E4BA0B99,SHA256=70207A08A336DD7F757F7799AE618D596969B207175773A7EC1D41A73571FD67,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:05.938{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59040-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001042716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:05.869{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65302-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001042715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:07.677{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=745956ABFD9642A3EB894ED2CF20306E,SHA256=89305B885F57D14B071997AE79DC59BEB3EDA90C177515C96B6E6DB9CB0E5E47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:07.851{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D80765F414D09380471AF4A745745BA8,SHA256=ACF6F9B3F072CA9AC9C14F81FCCA496F1C4B35B0950CA761C0642F55E1B20BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:07.851{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=038A2C7C5612C97E1D1764E0EA8470DD,SHA256=1F6BF656F7C8E43C20BE7893007F966183525D3F694937445E62A799A7B2B090,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:03.698{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59016-false10.0.1.12-8000- 23542300x8000000000000000972004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:07.179{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6963EC739116122118B128C6D2A59A5B,SHA256=8D629A555F3E020BF464F2E74AE8B7FA70684D9C98C1BE9DFE88D262DADB7F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:07.577{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC5911BCFC9737B4AC2B084F3FFADA20,SHA256=004EE8205A896AE0E38CB134F160A821C7480099D6328AF3782E95610F7E7640,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:06.547{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-59017-false10.0.1.14win-dc-429.attackrange.local49672- 23542300x80000000000000001042718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:08.707{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD4E856C7BCF712FAA5DE16E5FD99193,SHA256=60986A2FE042FC6346CE357D3FA4008E925394F24606ECEF858246A5974FA715,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:05.490{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59017-false10.0.1.14-49672- 354300x8000000000000000972009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:05.141{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50755-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:08.195{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A678FEC9FB6AA1FA5B35C7AE1ED274,SHA256=934E6FAC7043A97FBC660DC1E338CC249E6E99A76C25D05946DA6E413675E3E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:09.728{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9321782E2653F9A101BD94A12B529A7C,SHA256=DBF828877A82EA61E7714596C61AF05512D740985E53DF6BA40951D0A4DAF710,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:09.210{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C919DA88575549775BA56316A0B1FE2,SHA256=7F4732322CB1163F9E2986F98ED981B4C2D6BF0665271B204EAF3CFFDBBE4076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:10.827{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F36C0AE68021D05CDA96F8A6DBBC63,SHA256=9F96AA7E8AFF9ED9B5B5FDFEA0E322EBB15FB9BE4A9E2716E1349746F6D86EF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:10.225{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC15D7259901E0B1FAC615CFEC19A3BC,SHA256=0E3186783CD4441F6E63251571E47555BC26F7BFE9DFBDBC49CAF99A8523E4EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:11.845{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC1D65A603CCB967E7A505241A5768F,SHA256=9BDB08BF2304F23B6F1427687F785FE01AD20E4F276CA025154979ADAAA28DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:11.913{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D80765F414D09380471AF4A745745BA8,SHA256=ACF6F9B3F072CA9AC9C14F81FCCA496F1C4B35B0950CA761C0642F55E1B20BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:11.241{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06C91D6D93293C2B6A9CD10373085A52,SHA256=0C0ED7AD4703945049F92B2AB61E2C63207709F2F2F5C8CAAB0B9D2F718B8DA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:12.860{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29A199F7D16783AE67172D2F60EC8552,SHA256=E11084D6C9442D56DAA0B503C714DD4DB3CF974B73967E788582DE89781FF08B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:12.257{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A62ED4D36F78FBD6AC66CC72CF64DB5D,SHA256=4DD0F206EF4FDC317FA0E4412F2A1E9A81AEE9DF8E98540190B0047EDCE138A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:08.838{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59018-false10.0.1.12-8000- 354300x8000000000000000972015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:08.738{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61473-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001042725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:11.784{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65303-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001042724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:13.875{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66DC5565BC29D573CCEDA42DD76277D2,SHA256=C04ADA9CA6765934C2FA5E3A147EA8AFD4656EC2E550FE2E969668F25D1F9777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:13.257{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=999C85AEDEE6188587786AEDABF3A9AE,SHA256=CCF28F3F758278409284FFA8DCA586A7BD2F33278B04D6C2A0A86F082927E8DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:13.022{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:14.890{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EE1C4D8648FA082CE12432C1C875B6F,SHA256=047FF4BEE43E2C60CE956BC48763705678B130C88125E2DC0121C13132EA2A52,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:11.652{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59019-false10.0.1.12-8089- 354300x8000000000000000972022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:11.448{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-54957-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:14.616{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=314D197D8CDDDBD34EDF68D4B2285A7F,SHA256=1F1A2E58006D2817D0C397D773C4869EF1E9AC2AFC464165A8FAE0EC36F07F20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:14.272{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=085BAE5693D8EFA75E11F81DF85FC75C,SHA256=09F7587B95A5822E78E6924CDBBE153CDEB6F00EA5CA33401934B534A5CC72FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:15.923{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4267112E51F6010FF188F87C71D9308A,SHA256=ED4061051A09938BB667A0EE0E3821E8B0B99178F865DBEC4483D2CD7C28359E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:15.272{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=148FC50A1B0DD6C5EEF650A02B005028,SHA256=2B7B0F4BED213D8744992D698952E7899B77098C9F0AB797C313615A7FF6C013,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:16.942{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40044BC87A4C5BA7F5697E00201A5934,SHA256=E0419932CF71A92835C8782CCD64BDD120F97B025FE1EDBBD1A13E1E21C18726,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:16.554{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9028028363C793B74B2F520032624236,SHA256=8A413A00A2D758B1487755DD24E49EBD83676FC54B43210486938DC30DBCCC10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:16.288{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D5765520CC28F1E7C84433BC0E190A4,SHA256=3986403BCAA29D18D4FA52B5F15CA335051BD0ABB01C7FF02529FF1740DE5D28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:16.505{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30544D10124D308A7BE76E92F7543124,SHA256=86B0A6DF280D5FCFE9E4D265FAD1C190BE317E970C602EA4362F40E130F1D82C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:16.505{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1689B73C6EA2EB41F14ADB311A68E6A7,SHA256=2C6976D845DF8A973E79B89836690DE4FB4AB8C0856B1B6A97774DBF8FC7D923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:16.458{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\aborted-session-pingMD5=62388BAEB7CAF744239D575AADB2D9F3,SHA256=C4A9290990A5C41F7687249FDE4E457B2DC1AF25340A7480F468E01C22EBCAC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:17.974{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC27CF59A8F80503F94AB1C6FFDC0A37,SHA256=EF4E31528470F799710D0DD334230AF86E13343BA7073DA70533E902BB4B3DDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:17.855{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4278MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:17.304{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=832338B795BC222C398FBB468CA041F1,SHA256=FB97B75AF51CE14BDB14FE920C0F133BA512B495315154C80BD3255A52927F6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:14.614{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64437-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000972027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:13.713{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64566-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001042739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:18.989{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E645D10E8913D29CF7980FA3AC3A070,SHA256=CD171C529AF2E518C31F62E497E50EBF274974A6EB4C796E89D8DAC3FA0DDE22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:18.854{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4279MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:18.306{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60359870729B2703AC561AE04E33692D,SHA256=4366EA7F94F3BD411EB992F39EE03ECCE3335D49FF0DA823055C7F6D7FB93FE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:18.242{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30544D10124D308A7BE76E92F7543124,SHA256=86B0A6DF280D5FCFE9E4D265FAD1C190BE317E970C602EA4362F40E130F1D82C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:16.129{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de60484-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001042736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:15.713{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65304-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001042735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:15.713{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65304-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001042734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:15.532{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59234-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000972030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:14.807{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59020-false10.0.1.12-8000- 23542300x8000000000000000972033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:19.321{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB60097E92B17E64F1FC680E8763705E,SHA256=69FFD128B3BB9AF47EAD7C274598CE12314FB907450399EA97374366C1BE421B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:19.523{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D349C77E532B806FC648ACDF311B2236,SHA256=222966870B11217F034DB664523AC81EDC00719A824CE72EF4E0E5F297B81B93,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:16.587{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59941-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000972034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:20.323{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D02F01B98755DFCC40377F292E5B26,SHA256=F69E4DF152EB582D0A18B49239651F1F026911968AB73563063D2BA17713D923,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:17.653{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de58506-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001042743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:16.912{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65305-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001042742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:20.004{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=243F429FD78C87062C71085EDF88ABBB,SHA256=C3E6C8868B1CB97AD1D5075C45BC424FA23FB4ED8BCE67ECC120916DF66545AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:18.671{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50521-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:21.222{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB0B8FCAA1D7D82D67E34B9BBFF642A8,SHA256=1C1577B008B6E40DAD84C011839660C1581C16CE4CCC8D68840A0BE7609EFCB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:21.022{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51FC96E82FDD5743FFC3A6CDDABF954D,SHA256=D4DD782E6AEE818E067ECA94E458A5392F0E43055314552FE5C9C8627CF0516A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:21.323{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=202DAB360C0252485021D6076FAE82BC,SHA256=E6E9B8BADF731DC94BB17DDE8D99C5E6D0F6F07745BE20554EAC92A4031205E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:22.040{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F84D2E4BA39497E1B41202763F1AD9,SHA256=8C8299B2D4B742E588B582B56E57DF4D3C38409C38F6CC86717C9D82BE9C3DD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:22.336{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7CC5F29D285688F0648D85407BC25FD,SHA256=8BF8D9D3467C9CBD13C917AD21A8507BAC6E570949E10B1F9E9F64718ADC0DA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:23.351{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF3C1459CA06522A172470510A683842,SHA256=5DD295F931D1910BD9829BD6D2C9218151B4CFDAC03693BED909102C9BE4AFDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:23.604{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D44E0E0BF6C4B8E1C8B65988091AE4E,SHA256=6C7A5C3EB56793AF5B4B1A4DD25BD2D841293685C2F0BEDD3EC8A50052E34202,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:23.058{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D2E3E2DA4342D1840152AA59AA551C,SHA256=F3ED9E05647B71EF05971147EB0EAC912546BE4BF0CA430FACE04DF9A7D9CE3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:24.586{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3489B4B0815C7D08A18246F21397B9FF,SHA256=59029143AC56D1213D22D0A0400BA4E687F65652EF822166D0729FBC9D81CD2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:24.586{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD56CC8D56CD2973A34570EDEEAA8F2D,SHA256=92DE44863C4FA8FDCC4531E6EE2A03301C6780308FA054000F5861100568A193,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:20.746{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59021-false10.0.1.12-8000- 23542300x8000000000000000972038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:24.351{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCDE961F362D43E4DA31EEAA1FAEA6E1,SHA256=CE8E92980574AD9AE772EEF16E4236F0113C45ED443EDAD3ACBB01551A3CC76C,IMPHASH=00000000000000000000000000000000falsetrue 17141700x80000000000000001042754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 08:41:24.403{5EBD8912-7B3A-6151-3A78-00000000FC01}7120\chrome.7120.13.104757960C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001042753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:24.403{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B8A-6151-4778-00000000FC01}7088C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c727|C:\Program Files\Mozilla Firefox\xul.dll+8b9000|C:\Program Files\Mozilla Firefox\xul.dll+8ad3ed|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001042752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:21.865{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52559-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:24.088{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71258A8B30FDFF73D4A9EAD7E9AEA168,SHA256=B02B8D0BC2E25E10490C432351E6BBF073E11C4C52CF95C7A5BFC55613B7A3CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:25.711{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3489B4B0815C7D08A18246F21397B9FF,SHA256=59029143AC56D1213D22D0A0400BA4E687F65652EF822166D0729FBC9D81CD2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:21.969{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53365-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000972043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:21.871{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64546-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:25.367{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A4DC24BE25F638229A59C4DDE9FE6C5,SHA256=49629BE3A28F56C6125BBD1C86260C2D477888AFBB4028822FFC084297129BF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:22.812{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65306-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001042755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:25.258{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F964185E6012C0F29B92E546A600F4,SHA256=BA825FAF02E8C6CA3397D76345C4D194609C588DE1406440EF41F200B59D130C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:26.898{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-83B6-6151-ED78-00000000FD01}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:26.898{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:26.898{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:26.898{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:26.898{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:26.898{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:26.898{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:26.898{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:26.898{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:26.898{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:26.898{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-83B6-6151-ED78-00000000FD01}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:26.898{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-83B6-6151-ED78-00000000FD01}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:26.883{69CF5F33-83B6-6151-ED78-00000000FD01}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000972061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:22.974{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-65384-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000972060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:26.383{69CF5F33-83B6-6151-EC78-00000000FD01}39401240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000972059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:26.383{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F397A4625696F48D42EE2C440DCF682B,SHA256=549EDD3BB6DC556C2745A1C242077901C32EFEB162865D0F8C6C34C559BD28CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:26.323{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A6712426EFE387847C5DDDF0D10EDC,SHA256=1C4E8708970817E35D74E337C06AED3F43D3A8E7B4388055B6067AAB7995031B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:26.211{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-83B6-6151-EC78-00000000FD01}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:26.211{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:26.211{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:26.211{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:26.211{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:26.211{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:26.211{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:26.211{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:26.195{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:26.195{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:26.195{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-83B6-6151-EC78-00000000FD01}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:26.195{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-83B6-6151-EC78-00000000FD01}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:26.196{69CF5F33-83B6-6151-EC78-00000000FD01}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000972090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:27.601{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-83B7-6151-EE78-00000000FD01}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:27.601{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:27.601{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:27.601{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:27.601{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:27.601{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:27.601{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:27.601{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:27.601{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:27.601{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:27.601{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-83B7-6151-EE78-00000000FD01}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:27.587{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-83B7-6151-EE78-00000000FD01}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:27.571{69CF5F33-83B7-6151-EE78-00000000FD01}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000972077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:27.383{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44B93A72267688F14245CCD5F8DD7A11,SHA256=7D344CCB1CD794C07B92414C2DE044127E0E1DA1C51884FFEFC276AA71105FA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:27.357{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9568C5C64BA941ED97FB4B5D31F5847A,SHA256=4C31FADE22282FDFEB64ACA627ED6277046CD0C887E8A8AA185E08BF3D2C4CE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:27.242{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=512C88DDA05EAB90B683BFD3BE968C46,SHA256=769FEC8D80FBCD3034AA366FC98E8772EF21202B33318DC5C9377C121CDFF97B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:27.117{69CF5F33-83B6-6151-ED78-00000000FD01}6482328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:28.976{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-83B8-6151-F078-00000000FD01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:28.976{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:28.976{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:28.976{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:28.976{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:28.976{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:28.976{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:28.976{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:28.976{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:28.976{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:28.976{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-83B8-6151-F078-00000000FD01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:28.976{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-83B8-6151-F078-00000000FD01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:28.962{69CF5F33-83B8-6151-F078-00000000FD01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000972106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:28.773{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8528232AAFD0301A65697C4CA1B024F5,SHA256=24A9CD9A7ED94262B6F1FD87E54788F04884CED8154A30988E14EDB384B0D297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:28.372{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D9D2BA1A5C6EDC85A170CC30364B92A,SHA256=443183C3ABCDC9E38EF3227A8CEAB8A548974495240903FE51CE9D7C829B4E48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:28.570{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06B308D6FC93EDA46BDE2B52C51B16A9,SHA256=2041213CF39C6620E2C9487EA899DE54F2E8F5ED685B0CE5BE85EBEB26AA02CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:28.445{69CF5F33-83B8-6151-EF78-00000000FD01}37482848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:28.289{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-83B8-6151-EF78-00000000FD01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:28.289{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:28.289{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:28.289{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:28.289{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:28.289{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:28.289{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:28.289{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:28.289{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:28.289{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:28.289{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-83B8-6151-EF78-00000000FD01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:28.289{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-83B8-6151-EF78-00000000FD01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:28.274{69CF5F33-83B8-6151-EF78-00000000FD01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000972133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:29.836{69CF5F33-83B9-6151-F178-00000000FD01}36401984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:29.664{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-83B9-6151-F178-00000000FD01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:29.664{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:29.664{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:29.664{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:29.664{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:29.664{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:29.664{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:29.664{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:29.664{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:29.664{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:29.664{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-83B9-6151-F178-00000000FD01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:29.664{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-83B9-6151-F178-00000000FD01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:29.649{69CF5F33-83B9-6151-F178-00000000FD01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001042760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:29.387{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=362DAF2EF6EE4ABED127243FEF24546C,SHA256=A1A79F41FD869D8455720F7B3361C3CA10EA3BCD8985CEE94D1FA8E8701BB2AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:26.683{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59022-false10.0.1.12-8000- 23542300x8000000000000000972135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:30.430{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FAA4D2DC27BCF073659F39C6CE92740,SHA256=CBB687333614AE4E17E4E89B204EF5634AA0885016AEDE5E05B661FEA4302CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:30.430{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4B56F7A72C59A191DE4C00EEEC084F3,SHA256=D5C64C3E1130131E5F5A584E57DAD8BE331C99673A138AC432D1BD3F7C0197E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:30.392{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=353EB5A6B344A91520A7EDDAA0F453A5,SHA256=3DEDF35D3C6AED44955E7E293346476E97067E3A1CC2ABEEAEE491CB92A7A423,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:28.713{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65307-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000972138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:28.417{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57432-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:31.648{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D37013B50382A8229630EBBF106B92B,SHA256=7D199C8D5DB5C803EF64CEF74BE94DC8FFC6B4EBEE57998B64D18BD19F4ABE52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:31.407{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=868948FDD268F091EBD0CF5C08A812CF,SHA256=953DD9D7FB6CFCBC27EF372E1B5444ECAA3F32ECFD40BE731AA2212485714FC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:32.883{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C2C2B595BE3BD166050E530CCCEFB1C,SHA256=661EABF82DC8350CBA1B209CCB37C428E1A5D7C9D564F26A5F2E588C9C0E038D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:32.407{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C530517159E692BBDD0B68545493FA8,SHA256=E1E7B49D35E8F78F3E48738E65908640391A6CE895B2F1B496E2790B365DDCF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:32.305{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A3D447F1C04F55616FC8D3DFCB38B141,SHA256=A5EB525526B222FB1069847842B8464571E9D67B82E928660F0B0EDC0BA9CC87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:32.086{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C28BFF14BCDAA641EFBAB39B5BDB380F,SHA256=3842464F265688410EC9C5ECC0FA7490AC03C6D0BFD7D49A62C895F1D0BEB539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:33.444{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=516B484E0E472C2BB16C48AF63663426,SHA256=64160A4A2E5F927B7C047194BCEB04367A67D5C1230970A17933DF8C0D7E4628,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:29.395{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58035-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001042767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:34.506{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D40030425F86D912C51816AAA2CF562,SHA256=3CA6CF0B441CAF03BD7D22F3A739484A35CEA729377AA0A6D190C8FAAE2150A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:34.117{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A66DC438467F74606BFDF3B929D229BF,SHA256=EF5A16185F80CB49D96746A9F5DD2681D0B1672F13A4CA0FC6B4409B0203D207,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:32.739{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59544-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000972145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:35.351{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A457385104DB174754DA4F264874DC11,SHA256=6B0AAB392948C4D965607F7CC46C2500EB0F562F41D6E0ECD7570E76486DB9C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:35.927{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:35.506{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=500E18C99624AF70FDA85A2F413944EA,SHA256=FF877EB3E3B7E0D546C6CF0C9BDE74638854F5303C8CD21ECC56917723B68D48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:35.506{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CE5F31EB5F84999B29A8AD12B366DDB,SHA256=712351E19043439C35FFC6A0A696C0923AAB3EE32C706A82D032436CB0B973D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:35.506{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6730244BA5938ACD3366221313EE04D0,SHA256=A5F25C5EF525173377C9C9D2CDF94568A7FABBF9C75EEABD56B2FAF19B748075,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:33.836{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65308-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000972144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:31.855{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59023-false10.0.1.12-8000- 23542300x8000000000000000972146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:36.383{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1995BD59F4736AF1D1616A5470CF6D2,SHA256=052D8ED6EAA24DC004BBF82704C3C984B9A9FF273AB543569E4B72D2426B5099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:36.514{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10DD892C48FCDAC53810F40B0F09E8BF,SHA256=B18B04D5CC33B629C2E481EBE30522BE919215B25415EB15841511875AF5F27B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:37.492{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1A159469E54B9D2AD33DEC163A7E188,SHA256=DCF304DA97C2754E8FBCB583B6560FBCC59ADC5339816115FD4800A018AFFF23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:37.535{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=368D35F8D9C1B564355CC45A1F431D07,SHA256=8FBF2AF1DBD8E94AF01424AAFB6A2BAD58F8E9FD41D71CB85A1E12549EA63CEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:35.598{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65309-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001042776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:38.549{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5C67EFD90CF102A2D5AE88C18C51EA,SHA256=946B4169CC67251C388C3DB30887EAA808C690F22096937F7097DFB98A21C527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:38.492{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F87155B9F6F5A5F3FA647B7BF9C58154,SHA256=3DB604DD7351A4AC1979A6ED0D1EA8A8EF378D62C94D4805632F1160E54EBE0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:38.461{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-83C2-6151-F278-00000000FD01}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:38.461{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:38.461{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:38.461{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:38.461{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:38.461{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:38.461{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:38.461{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:38.461{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:38.461{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:38.445{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-83C2-6151-F278-00000000FD01}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:38.445{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-83C2-6151-F278-00000000FD01}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:38.446{69CF5F33-83C2-6151-F278-00000000FD01}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001042779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:39.815{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=500E18C99624AF70FDA85A2F413944EA,SHA256=FF877EB3E3B7E0D546C6CF0C9BDE74638854F5303C8CD21ECC56917723B68D48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:39.584{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B0E39867188E490E0ECF01180BC4FE7,SHA256=15CBC91F68638367A13DF345252DF1D7EC3655D6A52A871C4AC1B69F0DE5748D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:39.508{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4EE042FFDCDCE254B6EBB1371F2E720,SHA256=8565FF36C8BEBCF85AD1C8C2A6E059A910FA6EBECD70809DB9B894033DC1146E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:39.508{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CB513563EC8F807A1319FACF82FF918,SHA256=7BE745511E4354D2DB27652630E1F2FC7386515017981FA916C160B8BC552D26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:39.508{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=734937273D34829351732C3F9D74DD78,SHA256=3A8010E98300BD443DEE604817CFFBC38273D18C5B8AA34B45AD0FACF4A0333E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:39.014{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=36BF57AB268FEB65ADAAF8DAC57FEF51,SHA256=16E8278C680D3CC86B66993059B6C6408A6B26DE28C578917768C27B0453E449,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:40.523{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E03EF79A548264D204B7B9570BEEDDD,SHA256=CEAD8FB6472C56622311A5D82B8983E8F02589C2EFAA3FA4750CD510409044EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:38.907{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65310-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001042782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:38.179{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61371-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:40.584{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C6FED0D77F9639CE8E19C45B8A2BEFD,SHA256=DDE8A709CC8CCD785E32FE3D2D9F9B6AA5607333F10850C05A915540D21009B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:40.268{5EBD8912-7F30-614D-0D00-00000000FC01}8884380C:\Windows\system32\svchost.exe{5EBD8912-79BE-6151-D877-00000000FC01}5020C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000972167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:41.539{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3F0338CEC5447C10721527ADBE3BE15,SHA256=17F1B8686DBC22D7A325C8C0E0002557AA9606864F4E894AA17AA05AD0E2801E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:41.598{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1405EFB46233E4F63A42DD5F1189369E,SHA256=2A2508083C4FCF22F08671CD85D1DD17B5E9A2D8DBF4EBC844301F28D77B8C87,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:37.808{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59024-false10.0.1.12-8000- 23542300x80000000000000001042785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:42.631{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACD312D50BFA571E56A4BECA6FE922B4,SHA256=462A9741D8E8F7BF095324F54876633D9BC4D389E4E74BEE33BC9C7FA0BAABBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:42.543{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D1F7E623A0A0D9555784A07B5E29D97,SHA256=F90B58C9C21C2C5D90C553562B463C9EFEF6A1CA3D593006500D010AEF8D9261,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:43.982{5EBD8912-7F30-614D-0D00-00000000FC01}8884380C:\Windows\system32\svchost.exe{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:43.982{5EBD8912-7F30-614D-0D00-00000000FC01}8884380C:\Windows\system32\svchost.exe{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001042786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:43.652{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C0A4E175B7C51FC52F5F6431E1D01D,SHA256=6011FC36B33D3743D9F0EAF47B04CCC1D1ECB4431B0870899A7C92C8220575E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:43.543{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E10B939BBEA9CB0578754C8E16CFAE29,SHA256=B5E84B5BBB9B0C0E71F6318BE87F7D138FF35144198FDBDACDA5BC1BC708520F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:44.666{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B12D226B3C3E4CB93AF542BD25F71B5B,SHA256=0BC206456661559B39FBA2BB4AF4A0425590079BAFF45AC1E89B901D1139CFA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:44.544{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5CCEC5DC69A97DE42515BD8A6C8C5A0,SHA256=5E28BBA0D1594B360EF0A474F99B8061F1CA9049CB92F9672E0BC5CE19299861,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:43.046{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50162-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:45.559{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2FE813548F9CA47EFD767F6E19E572E,SHA256=838CD0CE543C44275C893FEEF27829C765D324153E578127EAE95E7B84DAEF3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:45.688{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F96AE31B05C1EEA73816B61B63C96666,SHA256=5EC5B22C6C5F24BE7EA9C6C7EA74E6DFE464A2F50A10D8BB74507B5341ABF0B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:45.650{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-83C9-6151-4C79-00000000FC01}2248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:45.635{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:45.635{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:45.635{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-83C9-6151-4C79-00000000FC01}2248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001042801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:45.635{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:45.635{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-83C9-6151-4C79-00000000FC01}2248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:45.635{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001042798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:45.620{5EBD8912-83C9-6151-4C79-00000000FC01}2248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001042797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:45.035{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-83C9-6151-4B79-00000000FC01}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:45.035{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:45.035{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:45.035{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-83C9-6151-4B79-00000000FC01}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001042793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:45.035{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:45.035{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:45.035{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-83C9-6151-4B79-00000000FC01}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001042790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:45.014{5EBD8912-83C9-6151-4B79-00000000FC01}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001042820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:44.882{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65311-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001042819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:46.703{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0061C8CC990BDFD1A7DA14EC48843ACC,SHA256=BF044B0826AE6C0B12801A37F579034DD39D5F3E4D841BF5F10D9B657F651B83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:46.684{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AE3801A07FFCBC09862DCF67EB923BA,SHA256=335862EC309362BDDF19486AA3158B817F598DAD65E4A755CDE9393F5CC04F4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:46.684{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4EE042FFDCDCE254B6EBB1371F2E720,SHA256=8565FF36C8BEBCF85AD1C8C2A6E059A910FA6EBECD70809DB9B894033DC1146E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:43.781{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59025-false10.0.1.12-8000- 23542300x8000000000000000972173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:46.559{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61518795C2822FE510525C9E96B75728,SHA256=329409BFC5BD44E194EDA5743E4D6BB1F92ED214386DAC82A824978B31605E05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:46.503{5EBD8912-83CA-6151-4D79-00000000FC01}67804408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:46.319{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-83CA-6151-4D79-00000000FC01}6780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:46.319{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:46.319{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:46.319{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:46.319{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:46.319{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-83CA-6151-4D79-00000000FC01}6780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001042811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:46.319{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-83CA-6151-4D79-00000000FC01}6780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001042810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:46.304{5EBD8912-83CA-6151-4D79-00000000FC01}6780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001042809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:46.252{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4278MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:46.034{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FEB81528405679373E39A5A5717AB47,SHA256=5FDA8B1974F7CED1DC2FD8CADB028E9405717103529AC8721C240EE1F846FA6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:46.034{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E95BA731C14E9163AFECC09A01E4B773,SHA256=BD9D864A2EFE946BEBA9A6C426200FF65F8885DB9059C8F069A446FCBD414DF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:45.374{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-59026-false10.0.1.14win-dc-429.attackrange.local49672- 23542300x80000000000000001042823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:47.734{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F13C5BFE449A79DDF6B12D82A3AE819,SHA256=3E5819CD8EDE4C7ACEBBDE4A17D231C5F78BD311364F6F1A56214EAF52E77008,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:44.460{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50788-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000972178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:44.317{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59026-false10.0.1.14-49672- 23542300x8000000000000000972177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:47.575{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=533FA5ABE033D955AC3D4D9BDFEFE92D,SHA256=FCF9DC4BD0E070FEF775396F0F23175A7721B35C451E86843DE9D4DCB77CF511,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:47.319{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FEB81528405679373E39A5A5717AB47,SHA256=5FDA8B1974F7CED1DC2FD8CADB028E9405717103529AC8721C240EE1F846FA6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:47.271{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4279MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:48.794{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE9510355715A380F2A0A231E3C3486,SHA256=366282D289369B269448078E4C72E4340214280ECBF4123E97445CA81A0258EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:46.130{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51436-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:48.765{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747DC42B2FBD79439B496A9AE15BDC99,SHA256=3310CFCBE995A398B92C237CCB968806C085F6BEBCD41E27D582A283BFCB067E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:49.782{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16AD5D768876F5BCC22B1D0DD66B06CF,SHA256=A1782FFC403453036E56F00EBBB34A579AA7E59C7258E73CAAD9F777A4975F2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:49.114{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-49438-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:50.800{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6E021200140B64792CD4B47103DC1A5,SHA256=9436865490421546E0982D080D2198B7436D35E1B568785C65CC2F0D105DF0F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:50.028{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50226083AA231140A5569291C75289C1,SHA256=E99CC51A74E4135AB8FE6931D81BA506481E2277C5361EC0A298C4C2236F5ADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:50.716{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89EE509AACF10A7D710FB42F89E0D9C8,SHA256=0501CCB9CEFCF2C6492FC571222B0603523F699B1BC30E7E666FA73565643781,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:50.430{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de54129-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:51.815{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11F0556C79EBB3A58463347AA8A55187,SHA256=99ADBD249EA965F00F57E26995FFB553763A91F8EF6206D81C990D9C67E2F68F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:51.262{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F78FD144A38C1FFAC42CC2ED90BCB69,SHA256=4AB6BE9DEEDB7FB9ED7373796172AA4CA841DC460E4BE1FEA4E07557F79D4FF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:52.832{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E450BDC2A9206D7693DA5A924FA9B772,SHA256=862FD61CAA274D9D796DAF468DD12978C24679E148407B082A56C90D17519A27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:52.590{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000972206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:52.590{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1600-00000000FD01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:52.590{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1600-00000000FD01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:52.590{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1600-00000000FD01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:52.590{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1600-00000000FD01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:52.590{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1600-00000000FD01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:52.590{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1600-00000000FD01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000972200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:52.528{69CF5F33-7F28-614D-1600-00000000FD01}1216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=8518507650E69CA7B57F0006C5B1AA02,SHA256=BBC24016820F76A07A8538CC5246E227DF0CE8E41B1D37FD6B29A71F74E5C131,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:52.528{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-83D0-6151-F378-00000000FD01}2504C:\Windows\system32\usoclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:52.512{69CF5F33-83D0-6151-F478-00000000FD01}29043240C:\Windows\system32\conhost.exe{69CF5F33-83D0-6151-F378-00000000FD01}2504C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:52.497{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-83D0-6151-F478-00000000FD01}2904C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:52.497{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:52.497{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:52.497{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:52.497{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:52.497{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:52.497{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:52.497{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:52.497{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:52.497{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:52.497{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-83D0-6151-F378-00000000FD01}2504C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:52.497{69CF5F33-7F28-614D-1600-00000000FD01}12161740C:\Windows\system32\svchost.exe{69CF5F33-83D0-6151-F378-00000000FD01}2504C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:52.481{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1600-00000000FD01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:52.481{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1600-00000000FD01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000972183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:52.387{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1673FA5E5FC1C2E23B269991D0150AC9,SHA256=E60D9471609A4234A7199447ED4912DBA3E7F32D8F6AD179F404CAA1F3598DDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:52.247{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18B4EAEC177699F94F4AE8C559976B22,SHA256=C053546AD8FB96597D54C1EC3415B14AF83A1DB51045BBA9CADC7D267081C586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:53.863{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38FC1723210CC686263A7592625CA581,SHA256=C6FA265294AE2D4152E345CD8DC3BDFC5F19FBEF7AD378C237578A077D316436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:53.903{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA5199A08A897469B46A5B1E094C9E6E,SHA256=A6C324B3C8C001345F17F833E2E0AA0FAA5A119B78485078BA88C755BE1F2280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:53.903{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8062F49CC38CD884A19382C02529B22F,SHA256=92AA66C2EC0C5909C56729CB80BAD0600E8E78C8A056C9679EF67FEF507018A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:53.903{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AE3801A07FFCBC09862DCF67EB923BA,SHA256=335862EC309362BDDF19486AA3158B817F598DAD65E4A755CDE9393F5CC04F4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:53.903{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=55E8777066658CE93AC091314A0895F8,SHA256=13736469974F1F1529E7B445107D9DF935E318B89A7E7A633925FFCF3B74CC5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:53.622{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=167EF7B4E183A1467B1D27544C75FD4B,SHA256=68646A471D2309084811ED3CBB8CDFAAFF26516D05A193DF50FAB33B689FF835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:53.831{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE06F8E1505935A9B0B51FD005457B20,SHA256=ED7B3D6F23C9E69DA61AE4A0DBC233F53761AEC7B2675555E185F2B2F15AEFD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:50.792{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65312-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001042835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:50.628{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54323-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000972208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:49.688{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59027-false10.0.1.12-8000- 23542300x80000000000000001042849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:54.884{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32CABB694846BE4BC235895C7A92B1B4,SHA256=1570D20E2DD0A5DDEFC3659B98EFC4430DFB75008A60E9D7E513CFC15865D7D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:54.653{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D07D8BB514BE18CF9DB0B94671C3F7,SHA256=F09B2D965AB6172EDE48C0CD0A9F262FCAD8FD9401D35E04E4E5045D180ACA13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:54.600{5EBD8912-83D2-6151-4E79-00000000FC01}49725080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:54.384{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-83D2-6151-4E79-00000000FC01}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:54.382{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:54.382{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:54.381{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:54.381{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:54.381{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-83D2-6151-4E79-00000000FC01}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001042841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:54.381{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-83D2-6151-4E79-00000000FC01}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001042840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:54.363{5EBD8912-83D2-6151-4E79-00000000FC01}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001042839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:52.313{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-60645- 354300x8000000000000000972214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:51.283{69CF5F33-7F28-614D-1600-00000000FD01}1216C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59028-false20.73.194.208-443https 23542300x8000000000000000972216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:55.653{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C893FD19928263F9C0A46E0C266F4DC,SHA256=3F3EC1E01F9683FE60713F62BB66B23673E1EC26B4BEDF613F545FC1209BFBE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:55.962{5EBD8912-83D3-6151-5079-00000000FC01}58802364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:55.762{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-83D3-6151-5079-00000000FC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:55.746{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:55.746{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:55.746{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:55.746{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:55.746{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-83D3-6151-5079-00000000FC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001042861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:55.746{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-83D3-6151-5079-00000000FC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001042860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:55.731{5EBD8912-83D3-6151-5079-00000000FC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001042859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:55.399{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE013F13A8A40FBCA3EDD8B088638E77,SHA256=93715FFBC0994A7BA2D7728AFD6223EC824A4B08E840E4C09B2C2188FC785546,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:55.199{5EBD8912-83D3-6151-4F79-00000000FC01}63606588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:55.062{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-83D3-6151-4F79-00000000FC01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:55.062{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:55.062{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:55.062{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:55.062{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:55.062{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-83D3-6151-4F79-00000000FC01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001042851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:55.062{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-83D3-6151-4F79-00000000FC01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001042850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:55.047{5EBD8912-83D3-6151-4F79-00000000FC01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000972218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:56.669{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAEC143FC78736731E64D97E06279B85,SHA256=07C1828C1F1BCA0308E60AAF9E0AF001515F4EA9493A8DD116BE332C246AF727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:56.614{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F36CF536DE9CB76E5A283332BE5BE282,SHA256=27681C08724BD56BB51A93D766798D10A5183A18A12FBF826855E218E72BA90B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:56.446{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-83D4-6151-5179-00000000FC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:56.446{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:56.446{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:56.446{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:56.446{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:56.446{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-83D4-6151-5179-00000000FC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001042871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:56.446{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-83D4-6151-5179-00000000FC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001042870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:56.431{5EBD8912-83D4-6151-5179-00000000FC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001042869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:55.999{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D91F6E3945C6B0DC7056A3886C74DA15,SHA256=ACE9D433D46FBFE720DEA273EAA7E51E8E524C081D1A9D391FE63878473D4C85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:56.637{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA5199A08A897469B46A5B1E094C9E6E,SHA256=A6C324B3C8C001345F17F833E2E0AA0FAA5A119B78485078BA88C755BE1F2280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:57.762{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49769B8F67CF5BBAB6A7F2CDB57002C3,SHA256=D8CE0BCB7462EC2BB2253A3FE9B328AE8D8FBEA47739A5AFE501F8CA5B1601B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:55.009{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59468-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:57.083{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF660A81FD2C162FB9C7E68DC48DB33,SHA256=94EDFF981390BFABACDB74494DB5D8536FDE928E4FBE426DDDEE90AACA164F03,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:53.791{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56857-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001042883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:56.005{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60126-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001042882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:55.922{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65313-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001042881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:58.097{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FFBC92F95B9F89F64C61DCCE53CB4B9,SHA256=EF891D4C841D6252095C882518DAD38FBCDEF3EE7F5014BE489C091447FD4CF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:54.797{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59029-false10.0.1.12-8000- 23542300x80000000000000001042884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:59.212{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E1D55CB2D03FF4C0AF6394C17AC870D,SHA256=2905AFB490EF47B4C07E38340CA9E859335C44B9297985988FC4ECC82EC5ACE5,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000972232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:41:59.794{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000972231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:41:59.794{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fb2e0a4) 13241300x8000000000000000972230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:41:59.794{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b373-0x27414822) 13241300x8000000000000000972229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:41:59.794{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37b-0x8905b022) 13241300x8000000000000000972228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:41:59.794{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b383-0xeaca1822) 13241300x8000000000000000972227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:41:59.794{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000972226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:41:59.794{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fb2e0a4) 13241300x8000000000000000972225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:41:59.794{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b373-0x2738362c) 13241300x8000000000000000972224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:41:59.794{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37b-0x88fc9e2c) 13241300x8000000000000000972223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:41:59.794{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b383-0xeac1062c) 23542300x8000000000000000972222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:58.997{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A38CFDDAD2D40E5A0D77854564B2B552,SHA256=EE6D471F0E85AAF36FAB0F0C2503A775F58A904A2E65E20693113BC4A30DAF04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:00.376{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB0E1168021F504BB2BEDC59933BFCEC,SHA256=03F078243171A9932E90EB9C33A69D3750A765C9E2F5764F2F0CB3BDA628F6FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:00.311{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=718182A09E7929EFE4938F3860ADD190,SHA256=27C1DDA82450661F8F57E3FF5712D887D3FDADA32F431AF9CDB0D504C312D52E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:00.028{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83D78D1509F41DC579AC30DC9B6357C4,SHA256=0031438F3AD2810179D35F4CF11833468CADFBDE2CE3A663CBB1C0F3797DF091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:01.357{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6264DBEF8F1281BEF16447F110F53F,SHA256=C041CCC0DFEC0D92724C25DD60DC8109B6649795FBC605EC9E19B1180E3BC1C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:41:58.360{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59749-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:01.387{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5EEB8972770A24DFC0D9C6B18CBBD50,SHA256=B2C782A5567DE7D965E08628EB8D942947869482277B18B6EB6436F336B19983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:01.247{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=043902A7DFD65097A936016F6E568AE3,SHA256=AE3554057D606543DEDE28E3E6C239C758D459BA01A3E1C118AE399462FF640C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:41:58.726{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59319-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:02.478{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A4D1E49A48DACFBB98C0D697D26927E,SHA256=A077C01E34AEB1E759CB532D118FE6ADEBF7F5C415F821EC48E3E2A30A3D0332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:02.392{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC00C6E87F1E3DCD52C668D957FCC906,SHA256=7082513696B36605B5C4C504D8E038460F089292A6DD9A797537A0761265DA61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:03.939{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F0E0B97AA16C54179F6D63D8A2D3BD4,SHA256=8A46485648080DF641056C0B5AD2FDF5FF00FCC2E41B2333E217637DEABB9A06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:03.626{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D0B708E92D9ABFE1410EED83FCCABB,SHA256=FA9CB382C10FC907CE6E87AF214DF4529FD5C5770E388C06BF0C953AD697799C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:03.493{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=379E37C31D50A2D9DDF4AD463DEF7D01,SHA256=58EB59EE0C9850EB224978B37077D484EAE181860AA0EF701E239B749DDDFA53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:00.739{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59030-false10.0.1.12-8000- 23542300x8000000000000000972243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:04.720{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53EF46E2D5892DA1FBD9E09C75A9F93C,SHA256=0E59F9E3F9C1F00CCAD715B85AEC8F5DDE04BBB259E8BCFC258F6B0B117A5329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:04.493{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=442E3406EF825E84E12FD9C4242CE6A2,SHA256=25962301327DE6CD1B83BF883DB3DFAA0D4D4BADF8654D23DAF3BF152C82C365,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:01.423{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com29885-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000972241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:01.276{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64763-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001042891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:01.817{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65314-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000972246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:02.352{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49304-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:05.783{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F05ABFEB379EC5159FCEBF972C56A02B,SHA256=3D7F1981E866249D69703EB664B94D7E6193F4E4940407129AE14F1A1156E81C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:05.524{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA99789ACC1E01260D501B92ED0E77C5,SHA256=25AC322958741FCC82B646A361F5BBF798A29AFDECEE4DE596A2E715758316B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:05.033{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BDFF01CD392069EF3DBB811112D7EF2,SHA256=2F77781A5453334B0D9C202A536794AE551E6905F45AC0CCD27E6D4CF96592B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:06.783{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E82374D9A5C34CE1E9310556466A08C,SHA256=B785B2238750133159F927DEE5AAC4F3B9210BAB772C7DADAAED1BD9EF3FC97E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:06.539{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF4DDC4C1A6F5170F70DCD164DD5400,SHA256=FA91A335B01E187C26BC99475C847493216B43EE861B99F8CB7E6D23ED3D85A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:07.798{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA0A0EA3E9E0FE9190769397DB8A604,SHA256=C4C54EA47D16A95E110841ECEA89466DBC8C3FF5FCB7F051F81C3A05BDB5EAB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:07.573{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F99341CAB245595C2895C86FD75435,SHA256=94796D8F34692C91E856A374A4C2B8EFD95A548A4684EA8003629DA6E76A4B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:08.752{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6E5AB17C78308EA1E883465814FA9B2,SHA256=797BB30FA73A325AE7015ACFCFC42F0F21ADB6A9581589112FB9339CBD27ED0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:08.814{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86933907F92C0571AC94C325EB2ECC2E,SHA256=420D930D8F2AC32D32EDA3102B6F07992B2717AB87AEDB30DE38B47C745B4878,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:08.737{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=405AF6C0DBA01D19570D11D78B548199,SHA256=D84407B6F938E13B94C52B54EB73D0F3E9F18F667342EB289592E404A4EDC9C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:08.737{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47D8A866CB9B1D0C449F76831BA74199,SHA256=D03A4A23B83FC6032E57A3DB4003880F7A7998C4D31A2DC3AFCA162FA8A4966F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:09.821{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7D83D0B5E7E027CE6F628F91848A701,SHA256=C46906E83421293B3DED2F467D3B834C39E54D5E2E39B9A9B24F1534BD102480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:09.830{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53D8C1C53D1231AD0B88B0E1318E272F,SHA256=FACADBBF995F7E9038F96239F9F749D7B7D45549A9623DE69042009A615C2A29,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:07.358{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com33833-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001042899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:07.080{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64697-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000972250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:09.048{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD2BD68E2E3B136FF315B27A7E0E18B0,SHA256=9AF38242379275B38D61DBCD64B791586A990AE64C9C1E1DE199B639383BAF5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:10.836{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F158DCE20A72DDF80785A4FEE03B57,SHA256=C2243248B4CC7FF68A68C721CEDEE79F1E3D25B8DC1D9FB1ED6EF142946F268A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:10.845{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE06DF4F12F68CD6509B955B75875EF7,SHA256=CBBD1BA07AFD57F53F9DD18575FE32041AA110E7F90B032E1256AC99D49CB5EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:07.844{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65315-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000972253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:06.130{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64799-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000972252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:05.864{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59031-false10.0.1.12-8000- 23542300x8000000000000000972255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:11.861{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BCAF5CCFD851B2A00A53EAAAFC81797,SHA256=7E1A2EC8B507F76D6C9B54A7F0A6B09E76E2A052BFEDC4F9A813E16541278B6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:11.851{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1453AD7EC455F4A81D94C06356BFD0F,SHA256=893C4A152A74EA86282CD2ACE604F47C6FCBD55E9D07D359C6CD7D9D97614EE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:12.869{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D90FDB52AA0B58E67F9CC9D11BFB1FB4,SHA256=CBD894296E9A9624EB6F65EAB94330355E77F37B4A18CF3E572FB6A57A40294F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:12.876{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53597CCF4D2C17A4987B69DFBB7DD8FF,SHA256=BA92DF3E2D27A68D0E04F4AD671E2553014C7F0BFD08B278009513178EFA8795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:13.902{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10FB84F9C922659031B29543D46B7000,SHA256=4BB64A4700BB4AFC5DFA784F03C86EB024F66C0B3438E24DB9EEBC3EBB3AA00F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:13.876{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C796481A48893D47E4B544E31492655,SHA256=46EC2D3894B54A6EFA02CD84E6544267484BCC4BFA1A11E04B6B3FC20A23F0CD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001042915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:42:13.534{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001042914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:42:13.534{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fb31a71) 13241300x80000000000000001042913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:42:13.534{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b373-0x2f9773e5) 13241300x80000000000000001042912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:42:13.534{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37b-0x915bdbe5) 13241300x80000000000000001042911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:42:13.534{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b383-0xf32043e5) 13241300x80000000000000001042910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:42:13.534{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001042909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:42:13.534{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fb31a71) 13241300x80000000000000001042908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:42:13.534{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b373-0x2f9773e5) 13241300x80000000000000001042907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:42:13.534{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37b-0x915bdbe5) 13241300x80000000000000001042906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:42:13.534{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b383-0xf32043e5) 23542300x8000000000000000972257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:13.048{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:14.948{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=472267F99416EFDEB90E0824681B1104,SHA256=4F8BEFCB644BDB638D581A53F73688DC00E8834D1DDA411FDE55CB42FF0E5931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:14.892{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B7AF2C88FC680DCE10992BEBD21D00,SHA256=1A62B723BC3124F28D126A22571553E05447429C9B79E1B2F30B0406C9F5533A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:14.673{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB3B991D987B3B618CC936761ADEAB10,SHA256=CF5BB4F8FC272A052F6942FE68338500B0CE565254E5E3D439B4B26E4DF383C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:14.673{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3084BCE1F76BA1030EC214EABB84DEDE,SHA256=67324883885518DCE64130D01118F7BA79C1EE8E75CAFE1EE5E07011F3903BC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:11.677{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59032-false10.0.1.12-8089- 23542300x80000000000000001042919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:15.965{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B48D7B2DA64FF769F6A5AD16D0886E0,SHA256=EFB13996BCCA8B9BA9E48D8728746897DB927998404A070C3667EFC99D6750C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:15.908{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC4F574EF97702CEEF1F94BE13ACBCE3,SHA256=8977F04B5992549BDB11B25B556EF2B8F8E662A976F7D27D452CB0B2882C5567,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:13.725{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65316-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000972264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:11.870{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-57670-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000972263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:11.786{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59033-false10.0.1.12-8000- 23542300x80000000000000001042923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:16.970{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B51838E15375ABB441FB5C6D0DA00037,SHA256=F17E0F72123EB15AE5E0B9F0E2AB74D05466D1AE3BFD6EE18236D7B0BD94CC1A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:16.473{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001042921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:16.473{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001042920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:16.473{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFfb325ea.TMPMD5=E91C690A796521635E3682A894D219DC,SHA256=555FF92FD1597E82A8E4E3BE9D6A27144CAC78A5AAFEC6001724CE0F8D5CEF86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001042963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1100-00000000FC01}404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1100-00000000FC01}404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.504{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001042928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.451{5EBD8912-7F30-614D-0D00-00000000FC01}8886076C:\Windows\system32\svchost.exe{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001042927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:15.723{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65318-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001042926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:15.723{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65318-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001042925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.051{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5A6145B4246BF7A093B36966E1EB155,SHA256=0F92964764E96C8EA706FCB78BFC016EC5A56EF7A785B342FC5C3C3C18C44AB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.051{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=405AF6C0DBA01D19570D11D78B548199,SHA256=D84407B6F938E13B94C52B54EB73D0F3E9F18F667342EB289592E404A4EDC9C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:14.692{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53777-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:17.595{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB3B991D987B3B618CC936761ADEAB10,SHA256=CF5BB4F8FC272A052F6942FE68338500B0CE565254E5E3D439B4B26E4DF383C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:17.095{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A39E9E80F4B287EA7EE15F006FF4D51,SHA256=15F3CE03AA28FF9C8A9EFFDD7EB1658106A1D0B3B44F828D8EC52B4F3082439D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:18.550{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=172171C7B62C450D5EFDF2DB7296577F,SHA256=5E41FCB98F80FBAA2E2DC75143EAFD45676E209C849F8DEA86C7A43BC95CBB91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:18.550{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5A6145B4246BF7A093B36966E1EB155,SHA256=0F92964764E96C8EA706FCB78BFC016EC5A56EF7A785B342FC5C3C3C18C44AB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:16.198{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54071-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000972269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:18.251{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0493773854660FF1F7918D0FA350CD3C,SHA256=2294A5C2C2BB2EACAB42F46C6CCE4220E7A54672513E52031E97E1D3529E3770,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:17.553{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61592-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:19.402{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE970673BEC3B506E0E411E2B672EFE,SHA256=B1114E486E69DCBE9B170AE509F8A5E52FCCF5A59CFABA70166E799FED661136,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:16.895{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59034-false10.0.1.12-8000- 23542300x8000000000000000972271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:19.383{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E861A3CEF66A937A51001C90397D8E86,SHA256=5B4867DF20EF7199B50990FE4E80630DF86BD605EA552EA4D3E12ECA91942FE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:19.381{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4279MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:20.448{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE799F4C3161917834148F11BBC32E0B,SHA256=24BEF9F92FE4C0C3422649FE7EB4D999B0D6D048C216713177B4CA618DBA472C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:20.397{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A279237AE4264B53D545594503AC834,SHA256=1F5CC5F55F47317EDD42051C27493AA04E0D50EFA2EF0DFA53D8F9421B0862ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:20.395{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4280MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:21.613{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA940A50C0E1CCE5C0A8EA97AED51A6E,SHA256=41F42F16FAD18A80C7181A6363EB85F961954DFF9DD571974E390BA6F2AFB286,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:18.810{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65319-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001042970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:21.465{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=800B210DD73722A3758CED2698ECC31F,SHA256=C7F9304A207CA7797C572BA72A1B07DB569AE615F5E3724F84FBBF011CCB7500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:22.846{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290DCDF1D7588CD573C39412C00C11DE,SHA256=9F06C9EB27CA8CACB4232061551AB280B4BF445BB7EC6FE131D5A417C7B93DF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:22.485{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43FD6B8E7FB6037B0198AFDF1E238F8E,SHA256=AB938BC9DAD680F5D5ECDF322FB7E4BC194331C30A44288D8C5B8BC43FE918C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:23.878{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB7A78DA7E826D3A88D52FFC0C0C9CE,SHA256=FA949C91A1265E8653F5285D6FD20EA3A02443619A0A066301817586E6D63333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:23.515{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=382CC801BF5A2ACB27D25D7C0C8CC968,SHA256=ECFA0460DDDE59C3C4A2753B80C20814D23A51CA5E8B9E9D9989CD74009D5206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:24.879{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C744A3A81F6144047A1F07BDEE769996,SHA256=3814A47EBD68E4F1CAFC2B6DE9907E563E393E7D03D8AA55F1728E57D41B628A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:24.516{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C657AF210F45B301BCF47D37246B6097,SHA256=B4B85CD0AF108922BDEF109FCA31F09F7D0213040CD45D83DB2B1F2BAF7B6F62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:25.893{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F035AF58CE84069200B02C3B1D9346F1,SHA256=AF290C03BCD43B88E797CECEC2EF0FF613EAB6136A178483E2458C04C48972D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:25.531{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B84AA9947073FC6C90C24728A44369,SHA256=EDD865A46885B1E0826243C44614FFD99C09B976C8988EF632AE51B46A7308F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:24.738{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65320-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001042976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:26.546{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B7C324F4315401C47CB583126DD2AE2,SHA256=54C795866A34AFAF7DCCDCCBF01E266E0C36B4B96387E2F3E6B839909FEF20C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:26.878{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-83F2-6151-F678-00000000FD01}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:26.878{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:26.878{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:26.878{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:26.878{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:26.878{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:26.878{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:26.878{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:26.878{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:26.878{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:26.878{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-83F2-6151-F678-00000000FD01}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:26.878{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-83F2-6151-F678-00000000FD01}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:26.863{69CF5F33-83F2-6151-F678-00000000FD01}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000972296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:26.596{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C939F6345947EF8329855724AC753E7,SHA256=5C91CE0A25562CF5AC3351A5045F0F345D58572F7A283F77F343D13FED7BC83A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:26.596{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A6750E3A0AF437B772CA44E4C2ED6A6,SHA256=5EF1930FC68CED0BC8512B82028534358B58E607988667909F9CEC4D5493481C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:26.534{69CF5F33-83F2-6151-F578-00000000FD01}40481932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:26.206{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-83F2-6151-F578-00000000FD01}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:26.206{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:26.206{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:26.206{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:26.206{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:26.206{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:26.206{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:26.206{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:26.206{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:26.206{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:26.206{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-83F2-6151-F578-00000000FD01}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:26.206{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-83F2-6151-F578-00000000FD01}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:26.191{69CF5F33-83F2-6151-F578-00000000FD01}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000972280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:22.787{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59035-false10.0.1.12-8000- 23542300x80000000000000001042978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:27.582{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2151D29BAF29B605B4A7D5CD810A402,SHA256=5447BAD055CED86057314C3C87B90B1545F91B73FA6336C104AE13B5A85A6394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:27.893{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C939F6345947EF8329855724AC753E7,SHA256=5C91CE0A25562CF5AC3351A5045F0F345D58572F7A283F77F343D13FED7BC83A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:27.565{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-83F3-6151-F778-00000000FD01}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:27.565{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:27.565{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:27.565{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:27.565{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:27.565{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:27.565{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:27.565{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:27.565{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:27.565{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:27.565{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-83F3-6151-F778-00000000FD01}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:27.565{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-83F3-6151-F778-00000000FD01}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:27.551{69CF5F33-83F3-6151-F778-00000000FD01}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000972312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:23.910{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-51164-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:27.081{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=102B505A931ECF6CF0C2BED2EFDE6785,SHA256=AC3C230B9B9439349EB6C664CDAC332C095AC695505931320136E7B99696FA5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:27.049{69CF5F33-83F2-6151-F678-00000000FD01}3508824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001042979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:28.614{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD93B157B4E322A7EE43B1A61AF2B5AB,SHA256=08ADCF17BEBB68AD4E838CC43598AC207B82E5732350B6F66FD2CDC7433BE3A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:28.924{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-83F4-6151-F978-00000000FD01}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:28.924{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:28.924{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:28.924{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:28.924{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:28.924{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:28.924{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:28.924{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:28.924{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:28.924{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:28.924{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-83F4-6151-F978-00000000FD01}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:28.924{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-83F4-6151-F978-00000000FD01}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:28.909{69CF5F33-83F4-6151-F978-00000000FD01}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000972342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:25.935{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60768-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000972341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:28.424{69CF5F33-83F4-6151-F878-00000000FD01}40123296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:28.237{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-83F4-6151-F878-00000000FD01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:28.237{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:28.237{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:28.237{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:28.237{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:28.237{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:28.237{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:28.237{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:28.237{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:28.237{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-83F4-6151-F878-00000000FD01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:28.237{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:28.237{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-83F4-6151-F878-00000000FD01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:28.223{69CF5F33-83F4-6151-F878-00000000FD01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000972327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:28.049{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6396DEFADE5FAA0D99007278AAF86AA,SHA256=F9CA0B868BA4B5C2A32F3904520FADE1C0DB1AF53889FF027E60D6F94F983359,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:29.644{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=835270FBDDC6CA11B8E85AB9B2A20B67,SHA256=A597A45C3A5E4131934A49267E5F212BC237EE716F0D2D590D8067B30B99BFEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:29.784{69CF5F33-83F5-6151-FA78-00000000FD01}9201992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:29.612{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-83F5-6151-FA78-00000000FD01}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:29.612{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:29.612{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:29.612{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:29.612{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:29.612{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:29.612{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:29.612{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:29.612{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:29.612{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:29.612{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-83F5-6151-FA78-00000000FD01}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:29.612{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-83F5-6151-FA78-00000000FD01}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:29.597{69CF5F33-83F5-6151-FA78-00000000FD01}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000972357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:29.362{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7ADCA412F747887E856AFAA9B1A1237,SHA256=B36C216EB9DEAFD43AA3634BEF84EC2DD3800EBB891BB5AEF0B60953731640FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:29.362{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13FCEF7ADC4B5FD34FB53928CC915F59,SHA256=CFF3037F28CE88A3FD76ECDCC92D9EF1C4F43AEFD191C931D55C30F233F0549E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:30.645{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=501F176DBE09995945FAA5FB3A5842B7,SHA256=0C6AD1DB58687C2A98C08F13A46C616835F7E5510739698D56661CE001940B70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:30.815{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9343540C676278A8E14EAE900D5D9420,SHA256=5146F3ACB2886214C50C491667618834B82D7EC20210779C88EDECC719B42F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:30.393{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C1273BB265103E5D9C3AFF29D7FC8E,SHA256=8F6D82F437B18D0B244CE269B9DD707ED95D1D625883CF9C2D190D28EFDEAFE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:28.680{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59036-false10.0.1.12-8000- 23542300x8000000000000000972374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:31.628{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D5CE6BAAD2E4D594D8945DFA7102560,SHA256=25C06466CC3F5E84F9EA3D36C5D175046B1F79C8E581344794E02EDA77909ED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:31.868{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE7F7CBF420056D9812B7600BD58D972,SHA256=B1B7BE16F4215E64FE2D9EBE3992D8A233E3ADAEC1C80DD1AAE0EF3F42DBC037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:31.867{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41D8A5422796C58D8C3AF1702F0BED23,SHA256=5C20EDD733C758C5B9D786E7209D2CC8B7879022FA90E8FC816E98FE2CE67E39,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:29.851{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65321-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001042983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:31.647{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF38B82D6139473E5519270DC43DA6BF,SHA256=16733A6C4D8D3ECE2F12E2C5154021FB7D0F6EB6AC736EF30D63D36B0D6D5A92,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:29.469{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62467-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000972377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:32.862{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C8E5873BE665395F24DF76C31D62FF,SHA256=322FDCA79D6C8777F77F56780E7777EA3BF81F74B71B69AC8E342D9C820E2C5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:30.830{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63321-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:32.665{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CECB256885383A9DB6C0E2F20C4E4A41,SHA256=2BB4AFB0A7FD7E8524AA7AA0873A83B5FBACB5FF98FA989221FB0D45CDC3E784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:32.315{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=761B03C2E03E461E4C37E4F8DEE7F26E,SHA256=312DED94617C14AA942E148D6F1F17C25B41E52C56DAA2F98392897601837B4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:33.898{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4401EA6719A97B0765907ADBF0FCE36,SHA256=5F2663DCE1564039E8A6C2B69460C31439EC16F453528B4BD9876EA91DE8BD60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:34.913{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=891A00DAE826CF06CD9CF4EE9880B5AB,SHA256=08017F608E6A9103FA787938C1E9252B9A43AADE59C3E95FD7450FDCE6BE896F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:34.065{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D6BA108792E6D7A00247596FE6F2821,SHA256=33D10071F0E0F88E9EC4350023A8EBA4278B685F88618C9D430AC58A5D241ACD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:34.266{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59529-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:35.963{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:35.927{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBCC3591366741C5F9C304BDDB186BB5,SHA256=CB5C2145188534D45EFDD1756F2CE23FBBEE3643EAB1A281700488F0144C9007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:35.096{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F32CB317477B2C783BDF7B4AC816F14,SHA256=A53419352E63788D41C782511775313ABEDB19378E6CE598972B54BD450C608A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001042991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:35.912{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE7F7CBF420056D9812B7600BD58D972,SHA256=B1B7BE16F4215E64FE2D9EBE3992D8A233E3ADAEC1C80DD1AAE0EF3F42DBC037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:36.112{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94BB3D42000E3686BF5C216DA4633CE5,SHA256=8687B58B06935A5A617E0EF5CB660C65A9DA09FC1C32E46C0FC5E933351A12C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:37.128{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1733DFCA5A07182EF9EE5AFF2A7D8B8B,SHA256=1D53267F4502DAF37C7F37DB4E51B2E186878E0D1F3557AF46BC54D3A29ADA0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:34.725{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49619-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:37.015{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C245A319507DFB6264701836D5C47117,SHA256=BB46DA2B74323B7A3DE14C45784A8AE34242364FB3A1E56100BA7C867471900D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:33.881{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59037-false10.0.1.12-8000- 10341000x8000000000000000972396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:38.346{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-83FE-6151-FB78-00000000FD01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:38.346{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:38.346{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:38.346{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:38.346{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:38.346{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:38.346{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:38.346{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:38.346{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:38.346{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:38.346{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-83FE-6151-FB78-00000000FD01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:38.346{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-83FE-6151-FB78-00000000FD01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:38.332{69CF5F33-83FE-6151-FB78-00000000FD01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000972383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:38.143{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64EF2ED2E39BDF6AA3930898ED12B7D4,SHA256=CF46D7DED0FA3B45701B1B853C9BFD98EDB6A24A3A2BB66D924D0F8D849375FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001042999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:35.635{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65322-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001042998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:35.215{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60225-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001042997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:38.015{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA012602813793AB3A13412F1EA89CC,SHA256=F7C446859B336898516060A454640308A813C980DCD76E9986FF5EBD0A7D296A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:39.487{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B08483BCB26459DA917FBCC5FB99D2BE,SHA256=28B07CBC77519D47F6A094379776E8FC6066D0CC87DAA6669FD26EB1FF3BE129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:39.487{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52CAB54DD1B0224FA17FD4EDAAC6F9D8,SHA256=57D5FA3176311323516953DE4BCEB5FC424E46D083DA628CD74A7A9F720F497C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:39.159{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADFBEFE6717A31964CE0043A98ED6D6D,SHA256=D841E6A67740394923CEBA514D68E4E903EDA9008D4638C1E19D74C37B09E836,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:35.751{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65323-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001043001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:39.034{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=928FC5253D0E5D797548AF636ACD2547,SHA256=F5425E7F6710183A191A41F6D78AC16FF4B1F846170288A3EB351303586C6D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:39.018{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A9D176725CD0271542B5ED5D34E1D989,SHA256=563173685BD47348A3D69C95401F6E95BE204B65D4DFBF303BBB9C780381222A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:40.393{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A73B4A0365DECC26671FF1DDFA7F0F4,SHA256=1330E996E337D4B110CE0DC91E99324839659B0AA01B686222411EEB1568AD51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:40.048{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=340DA26BDD4EF73DFCEEC94140E1BBC4,SHA256=A3CCF80DDDCDF2A8C90903CA83A165F47214D1285E5242988E0BCDA2861F6865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:41.518{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B08483BCB26459DA917FBCC5FB99D2BE,SHA256=28B07CBC77519D47F6A094379776E8FC6066D0CC87DAA6669FD26EB1FF3BE129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:41.518{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B9004C021B9167A08BF93702A7B737D,SHA256=7BAC75CE59B95CF9085FDEB8E8538BBEAB566B9044C996E002FEF6C9C10E89D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:41.066{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD8EF6F42457B71AB10B7F72330F3980,SHA256=C5110585903DA1C6238037C0ED7F8F8FD5F4708246769C6BE8DC7E6A21F800EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:37.070{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de56901-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:42.973{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4745A7FE46E3D968CC27084D8E0C16A9,SHA256=E849172EE63D3267FD182B13C1F2BC76506D34EB30FDA03BFAC14CD8B6F695DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:42.582{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC5C695D68A8F958D86EBC53A494B302,SHA256=3275E97B869252E6F4F2715A2D827AADE888D2790442E78F9365E8ECDA725386,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:40.213{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-59038-false10.0.1.14win-dc-429.attackrange.local49672- 23542300x80000000000000001043005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:42.085{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=033C6ED2DE3B75B142D278E72ED73FF8,SHA256=87DAA150977C32FFC77DA61A0725BA4C748EBE9EB1EE9FA14E7577A229665FB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:38.498{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52680-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:43.816{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF8F134F3F90B9000D3708BB5BF45F7,SHA256=A6F9E3715915F346FCC8A6F92B6BD98121B85DF7FE6B42A1AD588D7837D415DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:40.876{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65324-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001043007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:43.100{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D10121047F74B0A1A779FDCFBCC40966,SHA256=6DFCAE57CE9BEF9E7C88C654733F7D87607299BC700F97E05E4F44227D804A34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:40.581{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-58783-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000972410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:40.536{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de63600-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000972409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:39.881{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59039-false10.0.1.12-8000- 354300x8000000000000000972408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:39.167{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53071-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000972407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:39.155{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59038-false10.0.1.14-49672- 23542300x80000000000000001043009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:44.115{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB0ABD40552406D4C66E190318497207,SHA256=620C914AE4D8001A1D15E2574CDCCFD8B055BF0F244331088373154DC6C32C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:44.363{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C1B3A907BAE686CF61F994489801248,SHA256=8A2FDCEC7A72B2AC1A1CB4C5A4C69A0124264C3D27479819AA47C7D26CCEC873,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:40.615{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64872-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000972417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:42.384{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55300-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000972416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:41.622{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49381-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:45.051{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEA491B9008804E15A5A059DCAB5C135,SHA256=4FB7B28FF579C1A58D0CF5A2DFE50BD8D511858EBAEA79D2CCD4C63FE0A14658,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:45.829{5EBD8912-8405-6151-5379-00000000FC01}48927016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:45.614{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8405-6151-5379-00000000FC01}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:45.614{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:45.614{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:45.614{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:45.614{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:45.614{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8405-6151-5379-00000000FC01}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001043023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:45.614{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8405-6151-5379-00000000FC01}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001043022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:45.599{5EBD8912-8405-6151-5379-00000000FC01}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001043021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:43.103{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55079-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:45.129{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AE5A0E8F5D8ED034BB8D65C08B265BD,SHA256=91A2068214230791D07AE3A3FEBEE632ADE6B423F3DFD0A654AB5668B71905DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:45.098{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFE8E5CDC4521B47F4E3423ACFA6FAB1,SHA256=4926E59D9BDEB851D26823AF0ECC5001608D0B941C86D28680852B32170F0437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:45.098{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F91EFDF6BB0655312DC875AA3EA75AF,SHA256=A49DCAC79D9C3AE41D01323E58FFF698FED44CB23474D615424DEB5B6D39541C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:45.066{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8405-6151-5279-00000000FC01}1460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:45.066{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:45.066{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:45.066{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:45.066{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:45.066{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8405-6151-5279-00000000FC01}1460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001043011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:45.066{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8405-6151-5279-00000000FC01}1460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001043010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:45.030{5EBD8912-8405-6151-5279-00000000FC01}1460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000972419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:46.957{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=235CCFADC3EFBDBC3D6AE7B6EDF89615,SHA256=F0441D09EE4A993D2546BA9CDB4765C59A9B387E8E14B9DE10BD7460FF5CA6A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:46.207{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F30471520C77907ADD1C6F02569A98D5,SHA256=1EB2853E370BFC37A183526D0D4C1AE5DE65293D6BADBE7EF3BE9C02A7BC1BD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:46.645{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFE8E5CDC4521B47F4E3423ACFA6FAB1,SHA256=4926E59D9BDEB851D26823AF0ECC5001608D0B941C86D28680852B32170F0437,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:46.244{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8406-6151-5479-00000000FC01}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:46.228{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:46.228{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:46.228{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8406-6151-5479-00000000FC01}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001043035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:46.228{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:46.228{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:46.228{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8406-6151-5479-00000000FC01}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001043032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:46.198{5EBD8912-8406-6151-5479-00000000FC01}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001043031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:46.144{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE91FFDABBC8A00E7461F934E8B9A11,SHA256=D80395BAF0B79CDC03B91E6C3F389F35B4137A13C56F8271FE46282675D9E029,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:44.112{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com60683-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:47.223{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=884F4CD78B1288611CEB360F2C087E49,SHA256=ACB9B4B040620DA3FB007B0156B9E6219DEEDB05EFA6CDED075C272C03C28D47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:47.801{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4279MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:47.167{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87329267C7B2B4CA293B4F6B8F70F5A3,SHA256=772B33EE8599D8E16946656380CE9C1566BA9FB77527E7B7E5C39FD20494D0EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:45.647{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59040-false10.0.1.12-8000- 23542300x8000000000000000972422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:48.238{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E2EE336EE0B19D21E2F2B4FFBF7F80,SHA256=3FA11886CE880BE5C83D9B3825EA58FB85C33FD98682C9F64520E5A580348455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:48.799{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4280MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:48.214{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A615C578C1D6D31B9FDF575AD591160B,SHA256=A6D81B34E29A9B2FF4C0A23390706C19F74C83A7C4B81E5EAB8914280D5C63FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:46.820{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65325-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001043045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:49.229{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CEA028848962050F0A27E2122535B0E,SHA256=F937982A19A5BBF1AC6D37981F616F968E168D661AED69A7D1F9A2B1278DD5ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:49.254{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F4E777307B5A941184097565C83FE0A,SHA256=AF8B54DC59572E2AE4B55D6AAE1128884AD1C3B22FF1318066FD70B302E08661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:50.269{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2318844BB1AB467F33E209101D6F5CFC,SHA256=68758603DF4AB5EC003BD5DFF6F3FCAD16165318E96653D2C390D6DE26E1C7A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:50.262{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=865207E1934DABA04E1D3CB8FDB61E1A,SHA256=CF8CEB9A21EF822E3D67670BD422997F535CF39AF5060BE21A10BEA101A33B1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:51.285{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6603F93DFBAC14976BEEF225909A2EE8,SHA256=13E7520A0C15E396D7F0F900ED6EBAAFAD90689B274366AAE3A2F7C383644A46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:51.282{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80DC48A83DA7364845AA03E0E0B8E268,SHA256=AD1333BD167881923DA38124C13079DA91FC256696AB562E5DEBC95246072F58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:52.723{69CF5F33-7F28-614D-1600-00000000FD01}1216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RFfb3af5e.TMPMD5=7F096C446AB0CC7C6C5CF9D0E8F5BF39,SHA256=757E30E56E3529A205299C5EC2CC4F1AE45F90399339F4E97AB9B17C3696A774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:52.301{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=335BBEA3A127410B386844601A59BB54,SHA256=01953885158218E9EE165CC50FE276415150327AB0002035BA7BC79338171215,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:52.913{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:52.913{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001043049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:52.282{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=876AB5DA45FFEA561C3DB4A92F3145F6,SHA256=1C956ED6EC5148AFFDC3D126EA55487C6837164D559671D371AAFBE2369C6069,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:53.707{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7BDAAC1E28D9995DAF78015B6910A8D8,SHA256=22BB2E747CF08516B1F754D84663423859C813947A339B6E9D52E3CF213CDC44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:53.707{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8062F49CC38CD884A19382C02529B22F,SHA256=92AA66C2EC0C5909C56729CB80BAD0600E8E78C8A056C9679EF67FEF507018A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:51.041{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60590-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000972430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:50.804{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59041-false10.0.1.12-8000- 23542300x8000000000000000972429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:53.316{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F2C2A466AE0683A6803A700C582F81D,SHA256=3F4C24967C99B47C640983C28A463258459A04B02BFC2B9326FC9D89ED1BDF53,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:51.951{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65326-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001043052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:53.329{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6222EB3D6065EF33AC43B36DF5C6146F,SHA256=4143A9AE5DFD191A51E9D0AC66FACACC0EB62C0400E3EE51C6C5794368B29251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:54.316{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=986060F4375DD92A122E6AEFD2D1261A,SHA256=F870B221F78E63CCC794804BFE24FD457F99A0B834E4F7314CA9B6B9CF097A06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:54.899{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-840E-6151-5679-00000000FC01}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:54.899{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:54.899{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:54.899{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:54.899{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-840E-6151-5679-00000000FC01}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001043071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:54.899{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:54.899{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-840E-6151-5679-00000000FC01}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001043069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:54.863{5EBD8912-840E-6151-5679-00000000FC01}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001043068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:54.699{5EBD8912-840E-6151-5579-00000000FC01}43766844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001043067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:52.148{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60643-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:54.382{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E676B649A3E36B752D287AEA759B5C1,SHA256=97D9238409487B0687EA0F45493DA4DC2ECF7721F472494EE7B755EA627ABD99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:54.035{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E1318D6CBDEED814A8A810151AF6889,SHA256=F74A3AFA4867E5F8C3701FB35B063D84337C8823A14C53109BEDB3B602C5FBA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:54.035{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=939A26FE30122094E7DF46A57B73293F,SHA256=6762E227188FEAB0298B91ADED3335A88DB994ECD84F57A26A51A11949C9E13C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:54.313{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-840E-6151-5579-00000000FC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:54.297{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:54.297{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:54.297{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:54.297{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:54.297{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-840E-6151-5579-00000000FC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001043059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:54.297{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-840E-6151-5579-00000000FC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001043058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:54.261{5EBD8912-840E-6151-5579-00000000FC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001043057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:54.229{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EDA0AE03B602886A1DE8712B947844E,SHA256=B6CAE5AE8C228CC454B689244E9515DC4802B4C47ADC3517B1772775CEC0FE63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:54.229{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E84D25474439B73C717C3F21C89817B,SHA256=08F20FF60D8CF44D92D2C4DD142E053B8296C18D5439C8193F28EAC7B1AAAB95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:54.182{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:54.182{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000972437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:55.332{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13C9891C1CED15C1001A2D9584082FF4,SHA256=6DFC73D03361DC1F222D7A36D578ADA50466480B45C0AFD86BB1B64F01543AA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:55.561{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-840F-6151-5779-00000000FC01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:55.546{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:55.546{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:55.546{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:55.546{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:55.546{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-840F-6151-5779-00000000FC01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001043081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:55.546{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-840F-6151-5779-00000000FC01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001043080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:55.518{5EBD8912-840F-6151-5779-00000000FC01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001043079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:55.415{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C41A52A3BA11744F087FEB5B3D8A7618,SHA256=F40405287FF43AD2ED7B94490A87E64A7344CA0DFC5909FA261EBC52730F4EC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:55.299{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EDA0AE03B602886A1DE8712B947844E,SHA256=B6CAE5AE8C228CC454B689244E9515DC4802B4C47ADC3517B1772775CEC0FE63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:55.199{5EBD8912-840E-6151-5679-00000000FC01}15764592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000972438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:56.348{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=037F1E208A9394CB1DE9A7289568BD95,SHA256=82A528E74082F9B8C48922261D81052ED7FCAF676EA4A814894DF9DBF88A2A97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:56.535{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38AEC3ECB6F4AB8DBED5F61647181240,SHA256=4DA0A0BDF6272CDA87888451491F0131EB431C34604A2F844E5BF5A76CFAC298,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:56.472{5EBD8912-8410-6151-5879-00000000FC01}57645276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001043096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:56.420{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F27D6360A748AB0274C3104B8D53779E,SHA256=AED2F06694DA820722ACDD2071663452E5A91F6884FD6B34B027ADF93A82A9F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:56.220{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8410-6151-5879-00000000FC01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:56.220{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:56.220{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:56.220{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8410-6151-5879-00000000FC01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001043091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:56.220{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:56.220{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:56.220{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8410-6151-5879-00000000FC01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001043088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:56.205{5EBD8912-8410-6151-5879-00000000FC01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001043099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:57.421{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A710CFDC02D2DC58D2866047748872B6,SHA256=6729BF99505477009256C91A95973D5158E06BE8A06D9E5996725C700AA25087,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:57.363{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D2AA67511CDD471251D776BB61F201E,SHA256=F93FEEC0C50830F3B42E410EA8BB6389CB9CE744F2CBFA4DD07DB224847A3C0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:58.363{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E73376FB950C13EBB5D17737CBE63F06,SHA256=39FE264AFC4C79F13315E50E6FED1BF578ED385C777B9B1EA53B6D579A846740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:58.591{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92E2DCA6B3C7CC6224E432C40364DC68,SHA256=558CD9F1F00CB9E8138C5429F185042B66EDBC95B96FAFA48B3AFCC12FE81DDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:58.423{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED73E3BFBB4EC3D31053B276051AC5B9,SHA256=5FE33158D77B24554B18ED6D2AEA135EE28CF696617E79F74B465DFCD13ED1E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:58.254{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:58.254{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:58.207{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:58.207{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000972441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:59.379{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7B9A8C12A5A19A176CDC694956C6C36,SHA256=B682A962BC507E8B3A13A60728206AFF9ADE352B0178036AD2E9BD5BAE610092,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:56.945{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61746-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:59.423{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39650F92757776F7368C9320E706352D,SHA256=9CD0BCD12FF8F2313B470CB4F43883C51938B01C5778604FF6BC58E8B8C82244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:00.395{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF8E469744AD0BACF56F9D435988393B,SHA256=BA5CD01FA34A29A45C3A4286D603B1F1A2ABA4E05701DC0CD85D1FC264CC6376,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:59.042{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de57196-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001043109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:42:57.916{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65327-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001043108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:00.439{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76155B9ED8750C5481EF4906634F39BA,SHA256=08006C740189FA250DA0E952AED411CA13EDAA2978B79C80C03D888FE5E7ECDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:42:56.819{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59042-false10.0.1.12-8000- 10341000x80000000000000001043136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.766{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.755{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.755{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.748{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.748{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.742{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001043130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.692{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09C550C6FA6EA81D0C71E523D91C6251,SHA256=A01A5F4B670D519C1A8CE5698CB976587A279566571C59501D0486196CB6501B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.499{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.492{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.485{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.485{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.478{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.478{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.478{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.478{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.469{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.468{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.468{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001043118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.453{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591C7AA6EE5D258C055B3BBA89472212,SHA256=FD1EE25995973668E3F319C04CFFE59527743468CB52935AFBE815025603FE6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.453{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000972444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:01.396{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D94F852A86938BE659092C2F816D8F6C,SHA256=7D6BB16CE1E85AC0834C5DBD3874E5CAE52BEEB88E9AE86AF5A783288E6D1064,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.446{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.446{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.432{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.409{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.409{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.409{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:02.878{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:02.873{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:02.678{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:02.675{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:02.670{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:02.657{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:02.657{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001043144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.129{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65330-false104.18.9.111-443https 354300x80000000000000001043143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.125{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65245- 354300x80000000000000001043142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.119{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49914- 354300x80000000000000001043141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.052{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65329-false104.18.8.111-443https 354300x80000000000000001043140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.029{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65328-false104.18.8.111-443https 354300x80000000000000001043139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.026{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53899- 354300x80000000000000001043138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.019{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54717- 23542300x80000000000000001043137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:02.465{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8AF2401C133B0DAA53A34DC8669CB3A,SHA256=416999D08B0C840DE9E165057365B90DDF05664723336F6E3A24D5F2D061A376,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:02.911{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEC4B77A8746E3490D12CA0A0B1B4F33,SHA256=26555CF9148F3E2EAC155709EC149EEB8FF519311C852424A20DA881B567FCF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:02.911{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E1318D6CBDEED814A8A810151AF6889,SHA256=F74A3AFA4867E5F8C3701FB35B063D84337C8823A14C53109BEDB3B602C5FBA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:02.411{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8E3910F56C3E3CAAEBDD29532C19BDB,SHA256=6AA482F100CE2F5EA9B0A12C27B384BC74BD95B534D2BB7A6CDA3DCE359BAF45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:03.474{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD0B61EB06F773CD8902C931A088BA1C,SHA256=313EEE4F404136A1706B6E7D5D9B3791FB02871884E6C8BA9E496682501BBD89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:03.427{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=817C38B47588A1B7B83B07F6BD99457E,SHA256=790D367B71E9A92CC265DF3EDCA26971A6D5B4181BBCC16052789B4830DDDD3E,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001043152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:01.433{5EBD8912-7B3A-6151-3A78-00000000FC01}7120www.gitbook.com0104.18.9.111;104.18.8.111;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000972448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:00.214{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50081-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001043156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:04.847{5EBD8912-7F30-614D-1600-00000000FC01}12683732C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:04.847{5EBD8912-7F30-614D-1600-00000000FC01}12683732C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001043154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:04.554{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9360318E114A825ED0556F125877FCC,SHA256=BFC3D27740CCFAA4F26817D38D54AC31BFC0E8E005BC69C9A4D3B0C140C436F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:04.442{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F646B9933182856F26ADA4A9E9A6D0D,SHA256=6171439FA06CFAF498A863D951B3271EDC084797F1B7B1F7510F98FE3ADC5ACC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:03.766{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65331-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001043159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:05.562{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8907FFBA0B75A8DDDD0E0A7C89857FD7,SHA256=08159131E7FF7B96DEF31785602D627D79EB73200905686AB9DD2CA043FC50B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:05.443{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA54D0DA401ACC726F95489A8CB900C,SHA256=86388DE7CA891BEAC3DB4F8298FF19BC4E6F8197B53822B50C9BE4DE9715FF24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:05.355{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:05.355{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000972455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:06.458{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B61589DFABDA7CA81D55243A80A21FAB,SHA256=088F5603A74EC590E0B1CCEA3176AEBDA61D16D884A690577B935A0117C16977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:06.569{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=264117EAEF9E000B706D28EF914EC508,SHA256=325A66F554047E6383666B584EA4C01E628196459A70DCE90881C3231DCA90E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:06.441{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-walMD5=C03E171F329C4AA2E65B84619A784069,SHA256=46C244AC8056AC61AEFDC3B2F91DF2B7E25D3D7A665EE316D1CAE4D9749A36C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:06.433{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-shmMD5=D540BDD3A287D828DA490A468A6FEAE8,SHA256=7E50815F0E396DBA7110953DCAB1AD9305C17095564201085DCA72B69B43F78B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:06.433{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io\ls\data.sqlite-journalMD5=85B4700007B200A0B8FA39C6DA12F79E,SHA256=911034886F30CC5E29E684D6590471034D39E9D243C7D731B94442C8BCE245F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:06.413{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io\ls\usageMD5=D13120FD3588383D179427E60E3CD802,SHA256=52D12AB0A3FEFB8128D589A9001C57430F3DD258A41F2F45D4A58801D7342F4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:06.261{5EBD8912-7F2D-614D-0B00-00000000FC01}6244660C:\Windows\system32\lsass.exe{5EBD8912-7F11-614D-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000972454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:03.362{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-51350-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000972453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:02.773{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59043-false10.0.1.12-8000- 23542300x8000000000000000972452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:06.052{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEC4B77A8746E3490D12CA0A0B1B4F33,SHA256=26555CF9148F3E2EAC155709EC149EEB8FF519311C852424A20DA881B567FCF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:07.581{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AA0F74CA41EB78F355249B96FBC89BE,SHA256=7CC882ED4AE050946DA69A0A8A40E844CFD3C9929FBC8ECB5B970D00C100C119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:07.458{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17415C8C807FAE3ED2034538049C493E,SHA256=991254B56F36CC5EDAF0557F6EDC24816078D84EF94D07971D31D365C1331632,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:07.349{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6C9CFAD6C7B9BF6325AAD8A6C0EE3C7,SHA256=0BC4A9DBF9C60CE5A0AA840A21967D83E1EFA474B6AC481068A696C56895ECB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:07.349{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9133A4A146FB99ED3D2DAE50303AAEC1,SHA256=9D6EFB537B48CE8F47BE700F92BE44B266766CC4DF7629FE18D9A2554BB68A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:08.698{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9915DED31A3FFAD28DF5ADB47CE70042,SHA256=E4E3F25C917A55514C4852D43AC03C3ED7535CC93431A0E84AFEF4C509F13337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:08.458{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0680345785D84DAB7EC3174C0FB79C4B,SHA256=3C0B5C2102D2A628018D8D9471627BE35E420CA2A81471670A0DE0A6BF85DC1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:05.955{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65332-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001043170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:05.955{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65332-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 23542300x80000000000000001043173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:09.770{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B323868339EE1E9BB6A6D422E3E84289,SHA256=A068714C3442D9EC8C53EF332141099A4BB0F57C8B052C4D2CB78E9D368F386B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:09.474{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B039FC026FF4FF6D6D7BA3A5A1AB13,SHA256=438E9ECAE8FD2A1192CDFE0D85168E4ECBCD31997E49121484E266BE2EA1CD98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:10.773{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE5451FC6F6D6E0D16C7119A50E9563,SHA256=8E01C1257DFCF735299CB17AB8D852862601E42358FD0C7F5185D6D1698DF500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:10.489{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60EFFFD00D305E9626B5B8C7079E4346,SHA256=9EDF1758442D7C9811ED7AC5888C5E2816B0497632DE84D04E9866A0F7C1C8AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:11.853{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6C9CFAD6C7B9BF6325AAD8A6C0EE3C7,SHA256=0BC4A9DBF9C60CE5A0AA840A21967D83E1EFA474B6AC481068A696C56895ECB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:11.781{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=927F80138AEED574F8424D986D124B88,SHA256=9B4C4088B4BC62B20A1DF7212D58A965549DE85B6F4B9357CCBBDC5239D8D8B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:11.505{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEAD20A387017F78C3445457F1BDC737,SHA256=96C5C30CE5E25AB963D21175F5866C69A9B0F8D7C7E4493CE692A1E932416153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:11.704{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=998BD06AC144FBB472D89BCE54600019,SHA256=D402076DA86D6C75071660A264C1A5404000E33187D249C731D37BCECD02B7A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:11.703{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=B3347D545E7338FC7F7E66AAA38F050C,SHA256=CD1BD66F468F20E16CC78B7845DB2ACD20115D3857E0146521450B16DEC2474E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:11.702{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=C87ABBAF4E6DD1F26B72E5AACA77A9BE,SHA256=1BB18C376F2AD6BACA0D0EA6AA9B26710769C61B8141889069902A92A337A281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:11.700{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=1F1507D97EB92253D5DFF6CF89A2DC7B,SHA256=4B56A99DD29D8B07B22A2583D06B68DDF8F336635D0BA623D244C17BA03959A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:11.699{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=27809BA15E1A004E6A1B61568D85AD6C,SHA256=E3264A5686B8A0E8202DD41856E86D21E096611631CEF4757B95E4447747488F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:11.698{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=6B51BD5A2470E2CD300EE064E78FA3BF,SHA256=876A1700F174EB865BB44311407190D1DC80CB4BBFA175365696F8A0BFE7E312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:12.521{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B6E023D4B15024CDFDFC1FC25284854,SHA256=28450F6F401E2DAEBD18B9FFB58360701359FE16765C34F676BF990CAC45745F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:12.795{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A2470710F1A8BA2A596385374A35C7F,SHA256=42078ECB86051DEC37603CA53286446EA795DB1FE9310C6F9E1862845E0CAB2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:09.727{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65333-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001043183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:09.658{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55410-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000972461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:08.805{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59044-false10.0.1.12-8000- 23542300x8000000000000000972464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:13.755{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E3FDFB44F5A8828430968B192C71CC9,SHA256=57F338EB4A96FE82ADD1786BCF5BBF3842F5E9FD13CBEA1B67D86CEC6C4010EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:13.807{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D049BDEB5A1A14EDE39E67517707279,SHA256=5A083DFD06824C1140080770929047E6CE4C7A59EF31BB4D8363C7FE42A60A0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:13.068{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:14.989{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC984F6379CB2C4074B85459D898CC6,SHA256=B80545CACF6DC6E5DBE62D8AAFCE30A51E390F6E82AC94A0BC8E9AAEAAF0C300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:14.810{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B29EC13B46FC102120BFCEA56BBCC01F,SHA256=CA4BC81FE24582A99C0175B45732DC2C2530464EEAD2B186D6877E5DF0E119BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:11.695{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59045-false10.0.1.12-8089- 23542300x80000000000000001043189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:15.853{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F67DCC279C992D8D4776CB632AF18C31,SHA256=0E054BE157C05C70070B4D03145DF44FB1901317433344741BC90796E327FBBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:15.467{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=271ED6386726D56D286ED028E4F7D541,SHA256=0E6545FFAA9760D3B46053083229217DA7C5E48EF9BFF7D08CBCD565FD17AF37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:16.862{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41647A3055674CB16BF9E24AA7571754,SHA256=169CB26B7F1C39843C923D1A46879F51D10E122B06DCEAB164D1303204AEB887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:16.224{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5087C5DAF8B8DC5EBF0A75E5856E1A0D,SHA256=787CC67D01D11AC8D3D60B6C35584A06AFC3A66A5E42BB88CA80577862549772,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:13.828{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59817-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:17.877{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31A951AC8403613312D0EF6ECA8A4E0A,SHA256=7E913E7F6DBFA4BCE7FE77562A8BE8FBCF09C6787E4E35F1F4260CAC1EFF1D5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:14.726{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59046-false10.0.1.12-8000- 23542300x8000000000000000972468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:17.458{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A067882FE8E1D14063A9E3C486D495BB,SHA256=C6B05AAF3AD0E3ADFDD6C76CDCD5C8561AB71C08BD6C5CFF9E1B5B8072924CEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:15.732{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65335-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001043195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:15.732{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65335-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001043194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:14.744{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65334-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001043193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:14.657{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60366-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:17.041{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B8DEE48D7DB135FD92F884DCF8A1325,SHA256=8A77C2A9515C17C1FA210DF3E587256F6A07FA20657D8AABB20176BD2C02F6B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:18.879{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6FF5AD42A5D3B9D36772FC96028C4A6,SHA256=629B6D4654FDFA8AD69BEA5BF38D94DF1EFCFE1C7F35FF0CF86B519D250C8E6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:15.309{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-60399-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:18.568{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37D718F6076F7F9C6007B83694BEC065,SHA256=850790C709778C674ADEC8BEFE1C497E3F28A3198CC8C387C7039205493FF528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:18.571{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F45AEC86B830F2B2C85D940023F8A613,SHA256=4C6AC2E292ED3BE5A318CADDBC73013A2336356432D7A6EDE6E19235E8F11B29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:18.068{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77B369F17D1D05E649E35DB89C73CB91,SHA256=A59620AF6521560CC568231106E1756F3E5A30889994F189BDA2D154B6E5CFEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:18.068{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA58F91334384D85835FF6F9F15CAB76,SHA256=39497ED45E04340A0EADA4147CEAC6EA1E92FC5A2A14CCDE7CD4EDADBAC33E5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:19.880{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C36F6F48E86F38DDA375370DB4C711E7,SHA256=2DE2F3DEB5CA2BCED44F41A0E89627C397AC459D4A0E491A373B8CBEDBA8ABAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:19.583{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DA6B5471272FD85484B5CC31F8D02C6,SHA256=86404E0BE4B8174FA5CE63D7D99723506D4FFE10C8631AC4C9396F7BF51CAD25,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:16.893{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59762-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000972476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:20.913{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4280MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:20.599{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C7CC968035E7EA94EA008FD1122C7CD,SHA256=DA1A7F2D5A706D14C338F2ABF4E06BD13222A81AA0140F455FAFB612A02580EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:21.914{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4281MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:21.614{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=118C1592776ABC383123A1E19E67DBEB,SHA256=ABF6A42F162E03571377963A2BB5032D189D4BC22D41CA1079F2D695F33F891E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:21.940{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79FE5EBEE580DF27B3E94032D0C807B2,SHA256=655AFA9DC451D241A1740CA6AF09488F6A81330C47D8A15C9BEA0E6D49408A3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:21.110{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03EF0903C661488628CD171AF9B324BA,SHA256=14678ECCD8B3DEA76F7D6D47D415D532DF26D673F52A5109C6DA6FF19DB17EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:22.883{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77B369F17D1D05E649E35DB89C73CB91,SHA256=A59620AF6521560CC568231106E1756F3E5A30889994F189BDA2D154B6E5CFEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:22.617{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2058852DA95084A3A832C197D90A0E8,SHA256=9FAE921294E30DAD9A6CF30E65F9584299E6C59B9A3EBD96557BF5410FC4AE95,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:20.290{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61919-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001043205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:19.744{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65336-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001043204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:22.114{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0237DE40AE45204E833A430E5925B340,SHA256=E910CB8A2DBE3AA1397042CDDCF39A04781B11E568DAA82BB649ED39A1365EEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:23.235{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65177223012223EAEA160A3EC57354BF,SHA256=5D090BE2DDE1D6EA66BCA1CB9173D0D1793F4E8A5F6CB6F77E7310C63C1EE420,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:23.633{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=430DD2323268EF16533244EE4FF7F8C5,SHA256=F8D113EE917CA287DC48FE58EA35957FC92B083211FA76A0FB75A3419AACC87F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:20.177{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-65104-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000972482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:19.867{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59047-false10.0.1.12-8000- 354300x8000000000000000972481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:19.560{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62139-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:24.633{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E4D087A9EE83D6B54BC302FDEAAB75C,SHA256=0EB12E6A43B3DE259EBB3454B2ACDAF33B87EA41597790193026A0E3FD5A91C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:24.236{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84CD4B895C15474E08F7D42C67BB0DF6,SHA256=38DB4446F54197F5F64E64284F5F6448EFB86F2F5DE40FDFF189B7D386120338,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:25.633{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B68F16B8B5616EFE42F983B065447A57,SHA256=2FAAD5762BB96C2457B17FC03FD6587B59840D2870A577A7B32068F9E78DC52D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:25.239{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B782B2114DDAD39778352D678545CDC1,SHA256=F7B33E3D338511FA4AF2776B95989951DF073B80476E5A6F2BD060FF0986BB89,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:21.104{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49592-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001043214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:25.230{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=498935C39101A8E19B33B217BB404E7D,SHA256=F8D3E7598402655F209410B22CB4DE6859E37F2BA7DCD5BA259747FB9BECF50B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:25.229{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=EAD1AF3129EB9C9332E6392FB8096863,SHA256=66343FD263AF6C5E152DE8860B1BD832FCA298C1978A7DAF382594DF81703F4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:25.227{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=15804D06A34984099497A99B174590CE,SHA256=39CBEBC71B7387C915AA10910FB8EFF938D3AACBF5CFE505D5D0A06EC739787E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:25.226{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=19F46C2A4A9FC5703AA10C3ADD9BE8C8,SHA256=AF3A2E9914B17D900E5148CC4FAF719E5D81FF8472176BCE44E0EE6F00C43273,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:25.225{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=E197EA6739B42156A6D92B95A652FC7D,SHA256=55269A28414AEB9F0F6C13A97CAC54A81CB22556D2D5FC9E830102051CC99921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:25.223{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=8926FFE5B75122897E56227A51F77D2B,SHA256=BDBCB3065319F37F28A4527E9C44AD9BF9817393C17722793CEFD4BCD1BE172C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:26.898{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-842E-6151-FD78-00000000FD01}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:26.898{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:26.898{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:26.898{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:26.898{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:26.898{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:26.898{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:26.898{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:26.898{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:26.898{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:26.898{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-842E-6151-FD78-00000000FD01}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:26.898{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-842E-6151-FD78-00000000FD01}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:26.883{69CF5F33-842E-6151-FD78-00000000FD01}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000972503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:26.742{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5119CD59BD61012D9EE154300FD36CBA,SHA256=FAB7EE481CC8AABAC368AC7B5C06B85B7DFAF5AA85BA5202F6829519FE69AD05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:26.648{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C55FE484081D378D6D358F88BEF6E2A,SHA256=8EE516095402A575B7A04EF93579A8170B0F92ED700F2135AF6AD3EFBEDA1AFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:26.629{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81459D5023680584C2C78F0DECACC864,SHA256=C005A125FCF6224C1CCF305C320C2E753CD026D845B33DD844251C29DFDAF6BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:23.947{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64280-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:26.250{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DAB2ACFF189D2F7578F9BF54B01306E,SHA256=D512456EAC539668CD30BF2AE7FD0AD0B84A88BBA7C50FC64011B4FE254D667F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:26.399{69CF5F33-842E-6151-FC78-00000000FD01}1924940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:26.211{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-842E-6151-FC78-00000000FD01}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:26.211{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-842E-6151-FC78-00000000FD01}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:26.211{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:26.211{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:26.211{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:26.211{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:26.211{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:26.211{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:26.211{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:26.211{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:26.195{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:26.195{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-842E-6151-FC78-00000000FD01}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:26.196{69CF5F33-842E-6151-FC78-00000000FD01}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001043220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:24.758{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65337-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001043219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:27.274{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71ABF0B4AE942AB09CC22F37E98EE36,SHA256=48618051AB1A12BAE2F91EF3669EA8120F63134D6C03595778538C36CC78E0C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:27.586{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-842F-6151-FE78-00000000FD01}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:27.586{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:27.586{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:27.586{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:27.586{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:27.586{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:27.586{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:27.586{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:27.586{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:27.586{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:27.586{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-842F-6151-FE78-00000000FD01}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:27.570{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-842F-6151-FE78-00000000FD01}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:27.571{69CF5F33-842F-6151-FE78-00000000FD01}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000972519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:24.084{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65077-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000972518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:24.071{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com33606-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000972517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:27.086{69CF5F33-842E-6151-FD78-00000000FD01}1362832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001043221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:28.283{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E1EC6586B9E5B18CE8F3A14D23B71B1,SHA256=06F8BC61967F2E10C2484A43BDC2389313E84194DBBDFF60F563F08E2253B5AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:28.836{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8430-6151-0079-00000000FD01}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:28.836{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:28.836{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:28.836{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:28.836{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:28.836{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:28.836{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:28.836{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:28.836{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:28.836{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:28.820{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8430-6151-0079-00000000FD01}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:28.820{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8430-6151-0079-00000000FD01}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:28.821{69CF5F33-8430-6151-0079-00000000FD01}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000972548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:28.305{69CF5F33-8430-6151-FF78-00000000FD01}23603660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:28.148{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8430-6151-FF78-00000000FD01}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:28.148{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:28.148{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:28.148{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:28.148{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:28.148{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:28.148{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:28.148{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:28.148{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:28.148{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:28.148{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8430-6151-FF78-00000000FD01}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:28.148{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8430-6151-FF78-00000000FD01}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:28.134{69CF5F33-8430-6151-FF78-00000000FD01}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000972534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:28.117{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62A93A0D4148234BFB62452CBA593392,SHA256=D5E0EA36664A85BE586E7E7AD5E060974F00D81CF1BB79962C003F626B91C2E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:28.070{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C909E829E816A3BA9A059CDE1440CCB,SHA256=D3D81A372EAB4CF145FC5A278F73379C274A52E763B70D783AC3C1F1920D495F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:26.403{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de53470-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000972578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:25.760{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59048-false10.0.1.12-8000- 10341000x8000000000000000972577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:29.555{69CF5F33-8431-6151-0179-00000000FD01}1932592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:29.383{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8431-6151-0179-00000000FD01}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:29.383{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:29.383{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:29.383{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:29.383{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:29.383{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:29.383{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:29.383{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:29.383{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:29.383{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:29.383{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8431-6151-0179-00000000FD01}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:29.383{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8431-6151-0179-00000000FD01}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:29.368{69CF5F33-8431-6151-0179-00000000FD01}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000972563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:29.351{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08F844CE40E2435836F23367D8DBD0AB,SHA256=DEA4E757CA117E5F0FA73091C7DA15BC2656D448093E5A1A5CB5540B54757E4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:29.273{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE7DB685112ABDB5CCAC5F81AC174DF0,SHA256=7A41724F4D42C1E9DE1BA5C232150BAA0E45D076667A2A798A356866FD30522E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:29.958{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBBFFBFDF6A26DE071172B52C6642E9B,SHA256=E862EDE81B4C6E3BE6CA4A15A95A9BB9E26257A8B18780D8E45A9C3B122DC6E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:29.284{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162F42B536D765F07C6487117A37063B,SHA256=8479E6A2451EDB528D508409DA5416F9B1C0E1325025AB25EB431F33F10112D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:27.654{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50968-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:30.383{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC934E9C35C091BFC19308139CAAD214,SHA256=E78C8A5455C6130352726E577E88D00DE31FAA7A27A548349FC01EF30DA61109,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:30.289{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B5F1C6F3B2C017E01E8C0B10678EA3,SHA256=34F1C4AF5AD8CAD4F488C6169FF229E94E934E7720ABFB5DDDFC29B2FC4B37EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:28.297{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50724-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:30.286{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A665E0ECAD186B39245D4864DC1563E,SHA256=A0AC1A4EE33AC6461FE64A2D1AA65CAE98E7B2A4587BCA90CA16B4C604D30219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:31.523{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB336A40CEEC77DA889B384C48692B1B,SHA256=88055987835A5EA60E375C608D1D25B950B27FA462DF8663A86E0E18C3666E61,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:28.905{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com35221-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:31.287{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B989C648B18D424C0D96EC170C68F1,SHA256=FC0C9465452B1E4DCB2580BE5467E8DAD4DEB705F041659CA81F52FFCD6458DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:31.136{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CEBAE76C1937989ADDD040E4C34F504,SHA256=DA271108741B21018899ADF92A14CEEA5CB160DE25C24B7BA81F954A6EF1D574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:32.695{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EEC2B51AAE2DEB09157C00F780DE535,SHA256=3AE335D386BC383C729F90B4CDE91DDFBF9A98417E23E6CD9B161171DA14DDD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:32.391{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001043231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:29.870{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65338-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001043230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:32.360{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C7B9625DC7B4FF43C6AA21B2244568,SHA256=1215FCA7632FDF875FD134296601D0BB5F1F8AFEB4BAC22574959217094CB68F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:32.320{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=93598D33C77E5EC92D4D6A9983961D54,SHA256=2D3E06926A2514E34A4F0607B8871FFB0CD11C12F4E6446E12697F725A28C203,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:32.160{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000972587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:33.695{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5D43E71712B960AED4DEC357774DC86,SHA256=2FF3C18DF3CA5D8F133E357195D1A7D0A99EC70544DE1A9E9F62FDFDD42EA360,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:30.870{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59049-false10.0.1.12-8000- 23542300x80000000000000001043233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:33.361{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=142A33E21088849BFE630BBAE798C133,SHA256=E7F326ED4AF3177479C9480976373F17C4E392906522074275193681CC74D462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:34.742{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11A53FBC91A6CDBEB908D63751A35816,SHA256=F7FC8E8E67453092398A67DD42A3607629567B5E79A1DD78E41BA00684A77F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:34.491{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=141F64A762052B185E73C825DE84226A,SHA256=B48E71DEF11A1EA5C39C706EFCEC126694B1ED3267403427C12276FB7C3FFF0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:35.773{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E4EC4F236BC04DC6B4ABADBABF6158B,SHA256=4FC88B5364DB4110FF4B06260861D0CCAEDC683C3C30A99E5A4417BA03126AA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:35.990{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:35.621{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D90A932A9F273F095DEC9184EC2E1754,SHA256=A599A4311332B1170A81514F94E0C08036039C287C1BB8BFFC51577B455F4211,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:36.642{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43D43C9BE9CF428C9994B6A742A59723,SHA256=D395077F79DBCC1A7C005652DC8B484AEA1192B4DE7723E6B868943DCD801164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:36.836{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F763DBA2FE6364440B6E7784CC3B6A40,SHA256=1F299D3FA3E6744C8743D9D0F276109357EBE5D7A4535395190C0DED6D564691,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:34.284{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55118-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:37.945{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8658F2FFAE60F43547E15200C6037D70,SHA256=1CE0FD3FF02E906BABFC96AB692C6C7D9DB5CE85155714E0C0EE7C30FA3D3F02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:37.657{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18656D3A10575146E60FA54186229A0B,SHA256=ACC8978FBFAB464D32E7E2FE21A61463DD8004A5CB738901C5827286575DB38C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:35.666{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65339-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000972593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:37.930{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A0DF0621053D7381714300031BC0C24,SHA256=A783790AA87828537AA4C6CB80B22F0C86D694551338A8A94FDC261A072337A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:37.930{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B6E49B21E65AC103F5948C9D948A249,SHA256=BE309C8132AF481837CD835745D7B360B92AC2B9B74EBA7922823CF67673A514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:38.688{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4B47E6BA4C1E2599B43FE7CCA65C10A,SHA256=93FE27C68FB68E3964139A43A81BDE4046D2DC4333CE9E1E3F4BDB6BCC297E87,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:35.806{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56119-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000972607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:38.383{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-843A-6151-0279-00000000FD01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:38.367{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:38.367{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:38.367{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:38.367{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:38.367{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:38.367{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:38.367{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:38.367{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:38.367{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:38.367{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-843A-6151-0279-00000000FD01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:38.367{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-843A-6151-0279-00000000FD01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:38.353{69CF5F33-843A-6151-0279-00000000FD01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001043249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:38.457{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=F5B9CBF3EECE03D4389E198A7791BC47,SHA256=A6D44C6886B07E99A8241E6964ADE0DE359EF5323A7C54843B4503C9BDD4FB2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:38.457{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=98D57B2EC708D9E7C462B832FAA2C2B0,SHA256=6E2284AA0E5FBD0ECDF1A429EC892F2E8134D19C30C0B52C3E2BC7EB8E3C079E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:38.457{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=34E1F48F5684ED55CC0CB8F8406FF98A,SHA256=B1BD97F0506A2B79F44A6DC4F6115FD56ADF9B36C81C4C84A018B2D48D10D848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:38.457{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=EE9EE5FEB0341286798746FEF2FE0D9E,SHA256=978AC233E9793FE4CD19DD9AFE0B2F2D77E2EE906D1A74009A4DFF9AD2E47C58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:38.457{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=9125FD40A2968FFEE8906FA93B0C4205,SHA256=4C85DA7E8E83C52F0B3EE78D5289CC53FF3BB1DDF02B8B2CF1A880A318008DBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:38.457{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=EE4C9DD53009C179DB53A6D9416377F0,SHA256=6BD5BD3FECDDD192406A00135FDA7AF70C2364F840349AFB5A3F70D4930780F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:36.397{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61837-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001043242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:35.866{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65340-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001043241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:38.040{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75721F20B3711DF1E3D52891988A74E4,SHA256=4E8B14F4D6E78766D072743E6C43BAADCF2E6D7E4D60A8FA05D4605ABD5E040E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:38.039{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CED997B98B1F3881C3242F863764B65A,SHA256=97878B693ACD365109F3D5374C9105381EC08A336836DAF52D0C0A7937F55968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:39.689{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD917F0C6D57DAF0D0CB3FBF770910C1,SHA256=54AB7F336D8B0E89F4B5B781AC877BD6F7877DEBFCE9754AE0DB8A24B8152E28,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:36.854{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59050-false10.0.1.12-8000- 23542300x8000000000000000972610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:39.476{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A0DF0621053D7381714300031BC0C24,SHA256=A783790AA87828537AA4C6CB80B22F0C86D694551338A8A94FDC261A072337A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:39.180{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1217612374038301F7EEEF81248B2D28,SHA256=CC2FDF20185B74061602726F0A43F17907C34F765489B1C95EE5495573995203,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:37.338{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56408-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:39.072{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75721F20B3711DF1E3D52891988A74E4,SHA256=4E8B14F4D6E78766D072743E6C43BAADCF2E6D7E4D60A8FA05D4605ABD5E040E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:39.019{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1CF2DCB0AD91CE119C11E7B4C4F13F59,SHA256=B0FA9890B680FA93B9BB0D0EE029A91483899CE42F6C4F8E0294250B8752BD25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:40.691{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C98639640F03EC554FAEF0CF9DFDD6ED,SHA256=7E197922EEF573510F0453EE95595B80F74F359624EF0BF083A6A652313B44BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:40.383{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6FAAB42FB087EDA5559E9A8DB5C9366,SHA256=C4A62AC16BE5E6BB6BDB7AD7445DA417D375569CBF12F6CE48EA059C18A6929F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:41.617{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F07DDEC855CE921C49B4AEF24ABE495,SHA256=2701C79B470C2F5E061C5E2677617BD9E4D6D64FA078B4642A97EE58474842AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:41.721{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04BAE7722C50E29EDC66447406929EAC,SHA256=51298167A2E4F0E5FD2A186F84FF53A3619EBBD22B48C8BE762D04BE617F1E9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:42.764{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B502D60860ED63CF7791630B92E7ACC,SHA256=AF55B627FE81552A26EDE8C409724BC7D14880440474253C0314EDF7D366A1AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:42.722{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB4D52D24149F22B31213256EB5957C6,SHA256=DB34A00E8979CEC974B428EC524DFFA8462FEECF20932FB6963A69C1F9888468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:43.795{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E68CC7FBE3F11FDF4983B63258B45A,SHA256=FA83AFF154B68D16F2EAB835A5095F137236924243210D5EB9986744FE7036CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:43.743{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBF66CCD2D8881CAEF336E096A78CB00,SHA256=60A3D29256C3B1B5D66B06B27A743D077B16626C758E5DCDF39203F3163E91B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:41.866{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65341-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001043268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:44.991{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8440-6151-5979-00000000FC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:44.991{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:44.991{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:44.991{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:44.991{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:44.991{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8440-6151-5979-00000000FC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001043262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:44.991{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8440-6151-5979-00000000FC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001043261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:44.961{5EBD8912-8440-6151-5979-00000000FC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001043260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:44.759{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35D79979E40658D795FCFA31B770605D,SHA256=9B39B8897AD2F321E148131B76118D7FC01539E0A8E651C61DD6FED04024B908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:44.795{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEFF49294326354E72CA0B5139971088,SHA256=351A47BA760D49B00EFFEA6C2562BF11A897B125E84C84213F0DEB69D38F0E74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:45.977{5EBD8912-8441-6151-5A79-00000000FC01}19404452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001043277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:45.759{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=321DFF8A1364D924C641376A10560F30,SHA256=7B0DDCF93DB203932DEAA07452AC1A250BF814159D36E4F9CA5F336C80CC8501,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:42.770{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-51397-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000972620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:42.750{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59051-false10.0.1.12-8000- 23542300x8000000000000000972619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:45.811{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974933005C4D288E7E219242F65ED495,SHA256=0E82583B1347C9C464D50D74FC9BC6687F983C523C25AE75B1309E72C1C0AB37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:45.675{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8441-6151-5A79-00000000FC01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:45.675{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:45.675{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:45.675{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:45.675{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:45.675{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8441-6151-5A79-00000000FC01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001043270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:45.675{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8441-6151-5A79-00000000FC01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001043269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:45.660{5EBD8912-8441-6151-5A79-00000000FC01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000972618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:45.467{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37B96792BDD2FBB488AC1BB231985C0D,SHA256=7839B66A2C45BD1B428E6809130E7923AFECABED763B34A9165431E6C33ECD6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:45.467{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52FAD278A3D7C8A2D1D7C9E35FBFEB37,SHA256=CA28CFCD59F2E10AE4757E60DB54814A582CE93C81FA47A95700CD1AC6C79B5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:46.826{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E1F8076BE1FB27DA723671DE51C70D4,SHA256=4DF53CA3B8068E7624B6255D257CD9B893A600203198FA9DB5B56D4EDBEAC81A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:46.782{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48CE58F7040AA97928C8D47DFD135211,SHA256=B03415E1169932E4EEC318CE260E651044ABE0A3BD19455F4909EE4E56CD2FB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:46.381{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8442-6151-5B79-00000000FC01}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:46.381{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:46.381{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:46.381{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:46.381{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:46.381{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8442-6151-5B79-00000000FC01}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001043282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:46.381{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8442-6151-5B79-00000000FC01}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001043281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:46.367{5EBD8912-8442-6151-5B79-00000000FC01}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001043280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:45.998{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E04CD894A681E33921B4133B83C0B1E,SHA256=313DA0DA46A0739658B5665C7B7695F3A95880553A5AA29343E05175BF49343A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:45.998{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04E0E30E3C991DB73C60F6BE35275D22,SHA256=4146FE9427FA3EE7063D55D14FF9F3ECB63D74417ACF4B679F2144EB69176CC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:47.826{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51A3C9B3A8B3B6767FD05EC9D0A03324,SHA256=0E5E3F95A75DAD6EBB6787F835F00FE2EF99008EFF052B977A3EB0F5F146EB68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:47.786{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9558BD24F91C460B2AEC70629BFDDC4E,SHA256=34749B48AFC10B96CB08CDF2FF26B99609CF1E31D1494317C46A8E007E57E202,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:47.402{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E04CD894A681E33921B4133B83C0B1E,SHA256=313DA0DA46A0739658B5665C7B7695F3A95880553A5AA29343E05175BF49343A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:48.801{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8B06F622D0B108D5E5B6D5BFEB1887,SHA256=9E5AFF0C6EB03DEC10150C32B720D9D999759662F2902740B3372677894A2ED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:48.842{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F7EA59787810CAA69EA11DF2E090CA7,SHA256=B32DE0BF898FEC51C426B3AD08A9A36DA862ECBB737150CE9CE4C165CC4BFD87,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:45.210{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61946-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:48.029{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37B96792BDD2FBB488AC1BB231985C0D,SHA256=7839B66A2C45BD1B428E6809130E7923AFECABED763B34A9165431E6C33ECD6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:49.803{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A2EF556FF46708E776670360BCC5E71,SHA256=B55B73FCBBF10C184E6D5BCAE283D6FB32ECF99073DB09B18DB67125A8C499D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:49.842{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5918312EB022F05C55CAAC18F664CC5,SHA256=C6310E46DD1286753201AFA9384931A4F334B637B2A262E91AECAE3B2BF96272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:49.319{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4280MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:50.858{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63A8D69688E489E0A3D85C32632F81AE,SHA256=BB4C8CAAF6AF8FB18FD664669616617A5A622991EF6F98A6C31246F2A5A1E16C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:50.904{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB98623B24996742D7FFEDB22BAAE6F5,SHA256=0FE89F13F7D064AC9FDC1BC607C11D2384F6270FFC8B5E64D6D117DA44784507,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:47.862{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65342-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001043295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:50.320{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4281MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:51.873{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BF7B80D7663B90292E7CDC8E5698DB0,SHA256=DA621FC4952CE48009030AED08AC69F776A1C69B661E4C8434402EED75D1C86C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:51.919{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C22248B2B9D4E9ABE9292443FE7ACD27,SHA256=B1DDAACE70BFA4499581B047E415741E6A3328B6514EC88652CF01F034D6F4B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:47.796{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59052-false10.0.1.12-8000- 10341000x80000000000000001043298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:51.173{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000972631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:52.889{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAFC839F3EF5D6EE221885F982B2D2DB,SHA256=A3434FF3CB63A4CF779B46D71F78B251D03C610A5AC1131FB8E43D2E1EE0DDBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:52.956{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBC1CBA93EE95A226CCD1F8476F2E6A3,SHA256=1C55D56CDA271125BEDF6B73A541491F9828F3DB8AC529AF843AF90A9BFD6AC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:52.618{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=38EC637AD30C5AA993FB9100A217160A,SHA256=F149D8C16E781011E435AA2739552D14638A21E3376947E88C47DD1B5647D7A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:52.618{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=7F50DB4678AD3B586F8637D7BF05690C,SHA256=1AD106991C48610A7BFD9FD8C4B3BC049F63A17B80E6F15DF02B16CABFCD7D78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:52.618{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=F023BA60C3A17A53C7501FB869B5EC84,SHA256=C1E9F089A84C9482C3B05CDE2A626B75D0E49E8A5199FF19034CC7BC73924CA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:52.618{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=43FDE9CC6F983D445C28085CE1E7321A,SHA256=9CE941436033A7C52AD7E5E26A4A641D72B0A824F13233CA5AC0FAB646D7106F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:52.618{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=2E2546DB0BF209B2461DF059D2579A14,SHA256=E1D2D239BCA7C6D6685363FE53F7D10E4DE215E180245D9CA34329FE84610305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:52.618{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=A81947ED7CC4011C5414459AC7BC0C16,SHA256=325A4CE35325B44831691311658D18365EEA3E489951C65BABA38D3BF5AA1110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:53.987{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4F7751D3807D79DC6E710897770F9DB,SHA256=8603D4DF4A358BD71AEF3BD24D0FC1CF32B54E032974446684D4712CE3BF5CE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:53.956{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:53.818{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000972632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:54.123{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6C042BD2D9A03757D3CADAF59269D84,SHA256=9830EAB4A74C61F061F55F9177FE32C9004B7B178D085FAD60626C02AB68EC4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:54.936{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8809DDF2221EA8C6966889A70A3683FE,SHA256=65D051A148E87A9DD750440A6C01B1AB81366CD48885B8494E0ED1CD6B6D5B9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:54.936{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83BBDF516522C653AFFE3513181446B7,SHA256=E859EEC72D8B46E827F4800CA6BA4D2987F64026C55D95C9873A57A982DC3C68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:54.855{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-844A-6151-5D79-00000000FC01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:54.853{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:54.853{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:54.853{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:54.853{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:54.852{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-844A-6151-5D79-00000000FC01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001043321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:54.852{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-844A-6151-5D79-00000000FC01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001043320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:54.821{5EBD8912-844A-6151-5D79-00000000FC01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001043319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:54.590{5EBD8912-844A-6151-5C79-00000000FC01}42044720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:54.237{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-844A-6151-5C79-00000000FC01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:54.237{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:54.237{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:54.237{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:54.237{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:54.237{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-844A-6151-5C79-00000000FC01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001043312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:54.237{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-844A-6151-5C79-00000000FC01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001043311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:54.222{5EBD8912-844A-6151-5C79-00000000FC01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001043310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:54.174{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000972633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:55.357{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FDD631F9BDE4269D0DC03A7FB79FE32,SHA256=27AD5152DA6BBC7C358A353251B323D06C0E1511A3C1278B982CB8F9B0C0F400,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:53.866{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65343-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001043341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:53.306{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60005-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001043340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:55.633{5EBD8912-844B-6151-5E79-00000000FC01}53285888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:55.417{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-844B-6151-5E79-00000000FC01}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:55.417{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:55.417{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:55.417{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:55.417{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:55.417{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-844B-6151-5E79-00000000FC01}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001043333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:55.417{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-844B-6151-5E79-00000000FC01}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001043332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:55.412{5EBD8912-844B-6151-5E79-00000000FC01}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001043331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:55.182{5EBD8912-844A-6151-5D79-00000000FC01}512612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001043330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:55.036{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE1B6312CDB8BB41BDA8852D0B06AFD1,SHA256=190B355420B2D8F5E805D5EFFB0C1987DD57ED42A53263710F8251F545917B76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:53.827{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59053-false10.0.1.12-8000- 23542300x8000000000000000972634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:56.389{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E96FFD99E10819D476EAD549AB4D43,SHA256=4DB25F687E28D7796C3CC99880074C4D2CF3B2725AEC8E1C06393657B42726F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:54.038{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60499-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:56.416{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8809DDF2221EA8C6966889A70A3683FE,SHA256=65D051A148E87A9DD750440A6C01B1AB81366CD48885B8494E0ED1CD6B6D5B9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:56.100{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-844C-6151-5F79-00000000FC01}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:56.100{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:56.100{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:56.100{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:56.100{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:56.100{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-844C-6151-5F79-00000000FC01}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001043345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:56.100{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-844C-6151-5F79-00000000FC01}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001043344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:56.085{5EBD8912-844C-6151-5F79-00000000FC01}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001043343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:56.053{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AA46CB611079F001AB5CCAC45B52AF1,SHA256=22D50E6A72AB4F233E059626BB1803FF0EA81F1611560ABB165585CFFF3B51B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:57.623{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020D92EDD3574BDE126D3E74E39C04B3,SHA256=BE7E184BB336D8827DC2B5DCB90C598EC663D946015BA3ABB76652041B6008B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:57.571{5EBD8912-7F2D-614D-0B00-00000000FC01}6241764C:\Windows\system32\lsass.exe{5EBD8912-7F11-614D-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001043354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:57.055{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E47B14ADFF3C5A651914A9A510C724,SHA256=07F8601D2A418FDB842375AA52367BFD6192D9DF1A388FF1F134C40CF928DAA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:58.764{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7E7A74D2BDA86E13452A79F9ABA4B52,SHA256=5BF940609A3EFC2CD4A5C995C83BF7145346B2D78486BA34CF9DA1DDB607AD06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:58.801{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=CC04D5EFD54A4B7D8D390C5E77885DB9,SHA256=EF3671C82F11B9AC4F5DFB5EB02081B75F0D981404786347358F7DFBA307B9E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:58.801{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=AB5AFF9D6B96EB03F372DCC7083095DC,SHA256=A43862872B13654BB19773675FC78D739F19A05D35394B5A13DB33DDEA388424,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:58.801{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=3A263B01D2C55FC6342AA1CA2FD122CD,SHA256=912E42C0B8119930FA5FB98110F05EA0A9B3F99AD4A2F281BD10739CAB438FA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:58.801{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=EF05A1AE3D847C81F1D6FAC6A1ED9715,SHA256=FD639EC47EB964EE2C334640EF151AD711F89DF8B73781FD66C9224432C06E27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:58.801{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=0EA735856BE882F7D344DA4D5A9F8CA5,SHA256=1E3365EF4559DBF2A32EA528E4CC92A29D97172DE2CDBEC2600F2207B7D8C4BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:58.801{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=5925020DF346684A6200499BE8C7CFC1,SHA256=0209131E4621CF52C7564076AED2442E6AAD4B2DF234F4195793CE8446DF2C4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:58.471{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80C189BCB077F2E3BD7BE95F95B534F5,SHA256=82945A8C0E438B97B5B616C7A25F443AE79D83F0C293B1A3B3169008CA0EF8BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:58.101{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3AFB17064D4731E49B9ACAB905D9CB2,SHA256=D57063846DFD24F113F614490668448AC254C3EED4185B400F8F2C41F60123B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:59.983{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAB8AFA373ADE22CCDE44D26914F00AB,SHA256=44C4C3FD2B336201D1025A37B9611703AFF7AF8844B6E44CAA04258E92B4E9DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:59.117{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AC20F08098DE25846988D704397FB7C,SHA256=27511CC4049A3A013DBD868FCE6AD612E36BA6C9A054E2A1991E42E3EC60FAC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:57.266{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65346-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001043368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:57.266{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65346-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001043367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:57.159{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local65345-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001043366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:57.159{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65345-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001043365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:57.151{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65344-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001043364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:57.151{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65344-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 23542300x8000000000000000972639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:00.983{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A440663F1B960C1BF6E5C04F37717E,SHA256=FBDC2A531FE2D9786D4545FC095AA4FA92260FED59F713B0CD4A15E70421A21B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:00.154{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5E5B05A5AD8F300ADE4A2BCC4555EB5,SHA256=07DC88E01605CEB972E11A56CC02F97A19230CFB8127C3008399D68D67AB35C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:01.995{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB503A8E25AD90F7B15DF6EF91A48540,SHA256=430FE138E38CD17E8CA981A990D7C2501317BAE1F5223BFFC6EAB2CB6D9ABADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:01.184{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952010A6F3E0AEE26A12D64FA699F06D,SHA256=9A18B1216A782E0648FC09E3305DED806DD21875288F4E7AA80DDAD08B40898A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:02.754{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001043374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:02.184{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F29E55F03F6B5C4B414E8CEB2A20F9C,SHA256=0AD0E171AE4BFBB86E8BEAEC248D7D68D813E2281E49EC02466FE928B7803B9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:02.354{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CC647D0C7D0AE16BF12DF926591BF8B,SHA256=F9CB168BBE222C9341D7B870F145B3B1285CEA0C225539FFDD3449B2A1980094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:02.354{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9A6FBCB0BCEA51DD01A42DA7597989C,SHA256=7D64C54D89B602EFA1D0B6865E8C8423AAC7772856BB759AFD2210CAE24B8048,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:43:59.824{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65347-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000972647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:00.362{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49744-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000972646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:59.981{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59055-false10.0.1.14-49672- 354300x8000000000000000972645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:59.703{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59054-false10.0.1.12-8000- 354300x8000000000000000972644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:43:59.654{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-65382-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:03.010{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C157DA8F385B5DB3E80EF45713F7D0,SHA256=2C7F02B5572AEBFE5A6356BEF0B109D1EC2471D4FA6368258D00E73223BE2C21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:03.185{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D264635631A56071227F66D5F50B5E64,SHA256=9A51EB9E8BC6428C1C199259E28F247E30344F05815E5B07A1558D19EA356C34,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:01.039{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-59055-false10.0.1.14win-dc-429.attackrange.local49672- 23542300x80000000000000001043376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:03.085{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A775C42D827173D4FD3C4E9B708D6C6,SHA256=5A177083F14220AB7DBCCBD765A14CCA87FB50FF9E9AA3D825874BB342638B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:04.245{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF9684522A97F25CB3179E413D79099,SHA256=598C3F3B2028DE63908E7BCD777425EC27411A62AD53A8A9EB0B4C3C75F94C40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:04.187{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA5291A9221AC61B0CB9A181BB65C907,SHA256=7F2BDBE926C13EB6977D462B66F33291736A8EA71BC63581A5225F54C8493BDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:01.471{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54975-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000972649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:05.479{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93A3F53C98889F03080290FC7528969B,SHA256=E9FAD5AA40531D8747B300F26E74E00D43DF01E4E2C3733214DA83BE16E55F4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:05.819{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DC654F29E08692F4FC3B155EC27A9D1,SHA256=2E7ACF2A1485EFC6FE3883AA56789346F69EC2066ED2E586D8053FF72E60C3DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:05.202{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C140B0216A404B99E8F68204C772D677,SHA256=8C640BA7A961B40C05169965D94ABB839B1B380FF7502BA52201DC94716BAB94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:06.713{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A50F692B98C0A62299ED47B681084DA,SHA256=871D0014B5ED18B8FE47380F07720C5EC072A17C8575FF58E6FE725571977101,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:04.171{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56621-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:06.203{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=552827485C7C5DA83D2489B0CB4CEAFA,SHA256=3076EA0DEA2352FAC17FF4CE187202C7899476A092E7AB4A15046F873E7986D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:07.948{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A19AFDA83036482D5334EC5B0E9D291,SHA256=5025AAB1CA12E7FFF2049BCCADF8913D4A5182A0E09589231CB2D175DD1CF1AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:04.925{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65348-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001043385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:07.218{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB81D2AE01EAF177385E7FAB8F8D11C6,SHA256=91D9F606835FCBB1C13DBC7EF765D88D2A8012D90D0B4746AEB0C8321E6BA025,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:08.254{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=163185337F212BFA5E68082323C9BE33,SHA256=B3CED703BB8E7234CA4D285C9B5FA9C216BD4E7160640F53304072FF20F36124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:09.088{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=249308B51C72CA0E860864C1DEAEEC5C,SHA256=6F496855CC434D07D82B2E8D60DE33ECDBEC25AD50ECD915BBB2B9D67C1AB128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:09.316{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA9FEB7C51023E1516BCCA8B62AE7FBC,SHA256=4C7F88E358B0C497041F8CD445893B418346DC26629E658BD407C13EBA6F02AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:09.284{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99F26A83563BDB18A257E6A26274209B,SHA256=277C5FFE6CD7067E001B05B6B762BC79A982C792A59CA0A2D97F71EBF1419E37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:05.714{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59056-false10.0.1.12-8000- 23542300x8000000000000000972653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:10.104{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3335431F70456C9250695728DEE3273B,SHA256=D41387D95FB143A16CB4B0EB079BBFC793191A0C5F8AB8BAF1F2D679CB28361D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:10.583{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001043391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:07.935{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58994-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:10.299{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D33DE571D76459B714489DE3C87CA8,SHA256=F9DB18F288D37E33A1E93FE99B1F0C1F6590B7B6EF8F3EDF453C72ECC11A016E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:11.332{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF2ECBEBB48EA7306A72EC06C0819E21,SHA256=919D2E520D1A9DF85C336C5236D822180BCD9B249A6BE8E5E4B3758ABE48CAFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:11.120{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=590BC066444302430C53C5C4054D93A1,SHA256=BBD9A7EB3583779C9B401387B0C5A71608B697820AF40B64456C5BB612D8E269,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:10.774{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65349-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001043394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:12.335{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F0FA1354FAF2897D638EF853ED07D6,SHA256=1A2C1D3B321A76D9C6A95B0243DF007980427322885D71E18576F1187B68DF13,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:09.262{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60521-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:12.120{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F16F5FD814C0211E4ABD8094621CF9B,SHA256=3437F9F7DDE73409C95800CCFAE030570C65CFE155F3D9744083BA6A087F397F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:12.042{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44BCAB3F45CF774A11B92EDDA651D020,SHA256=B7820E398F5DE3073171378A301062923204B4DC7F2D66DB777A44D92A3D652A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:12.042{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CC647D0C7D0AE16BF12DF926591BF8B,SHA256=F9CB168BBE222C9341D7B870F145B3B1285CEA0C225539FFDD3449B2A1980094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:13.351{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F145C688ED9F4A3819E793A04D5790,SHA256=1D64584FFDCD2DD109D1FBEEF2A5985CA1470DB3768B0086C5D4703B7814BC41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:13.135{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA7903F5D083AABE9B2E84E08E018E11,SHA256=98779E3C6876FBE0810CA3E620BBE91AEC525CACCE3698C4A3D2078DBB1A890B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:13.088{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:14.479{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44BCAB3F45CF774A11B92EDDA651D020,SHA256=B7820E398F5DE3073171378A301062923204B4DC7F2D66DB777A44D92A3D652A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:14.151{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0200D6F81F5755F96B54B52F6C66627A,SHA256=88CBFF12C0FB0086224C4A0AFB2D9F0A7C7F892909DB56A1995606E38C3AC13A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:14.467{5EBD8912-7F30-614D-0D00-00000000FC01}8886076C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1100-00000000FC01}404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:14.467{5EBD8912-7F30-614D-0D00-00000000FC01}8884380C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001043398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:14.431{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D02A9ED0334D5DF747D68AFF84D375AB,SHA256=261A7914DAC3B051704FEA37536D7B7B42AE0EAFEE3ABE4C66F89D0291837285,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:14.250{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001043404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:13.347{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62415-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:15.450{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7DCCE27A4C5A2FF7F603B9A4620A773,SHA256=EDED504BF76B4EBB298C588A35A1726F1CEF597CDD5F13DF591D8101A046ECDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:11.716{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59058-false10.0.1.12-8089- 354300x8000000000000000972666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:11.714{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59057-false10.0.1.12-8000- 354300x8000000000000000972665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:11.472{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61934-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:15.167{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18DB23296FD8B22B87964F8DA20D45E9,SHA256=CA8B089B1EE41BC4413FB50D6A80D8D89B7D242F17CA7B6A6A6542900B296AD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:15.082{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6CCC47EFE55A0DAEE97910A00A37F37,SHA256=6CEB9DC52BC444AB2EFE195E7240306FAB8E883D52B55F245753C79B2E00E2D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:15.082{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CDEFE3BC3BA41F2402490113EF1E5ED,SHA256=B5F1882502AEF9C419149080901D0AB1798001EE7AD4FB7C41014C4E1A8C0C98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:16.481{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001043407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:16.481{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001043406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:16.481{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFfb4faaa.TMPMD5=E91C690A796521635E3682A894D219DC,SHA256=555FF92FD1597E82A8E4E3BE9D6A27144CAC78A5AAFEC6001724CE0F8D5CEF86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:16.466{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460FDFD4F76D3E1D95F454DD66A61301,SHA256=2E2CE1C4F7CF7C73CE14D4AB87C4046569752E2409395F74E35A659FCEC7A682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:16.182{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FAB181A670539E2C3735D0F451293C6,SHA256=473E73686398998894BF22551751278347810563F7B2EA95200224F60A78EC63,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:15.920{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65351-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001043414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:15.742{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65350-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001043413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:15.742{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65350-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001043412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:15.737{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62025-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:17.565{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=264719CFB6CCA19299BB0BB5F63617A0,SHA256=B86DF55FF192AA83F3CF8A687C8E6525D84736207C1079309A66CC411F8D5D44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:17.182{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA62056E0518F43E19A58BEAAEC817C,SHA256=2635B99C952AAADA5B8FE116FF9A1093E05979C2C06A1E15F570871589D42E6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:17.481{5EBD8912-7F30-614D-0D00-00000000FC01}8886076C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001043409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:17.081{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6CCC47EFE55A0DAEE97910A00A37F37,SHA256=6CEB9DC52BC444AB2EFE195E7240306FAB8E883D52B55F245753C79B2E00E2D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.764{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20012FAFF8A063E8002B4CD5C2834BBF,SHA256=A86E22E5DC8F383F108EDCB3AD427AB9C90A00B904F46741E0800150EEE23CB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:18.198{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F39C7782B79A09E1BBEDB9D337E6FE47,SHA256=1ACB3F8C1F9396D0A750C9AAE526564E69C784382A23233F604A970ECABF2222,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:18.511{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001043421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:44:18.211{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x80000000000000001043420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:44:18.211{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x80000000000000001043419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:44:18.211{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x80000000000000001043418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:44:18.211{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d7b37b-0xdbe27171) 13241300x80000000000000001043417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:44:18.211{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x80000000000000001043416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:44:18.211{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 23542300x80000000000000001043456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:19.779{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF16F7FD192D9CE83B95F639E90BB36,SHA256=40E5EDC1BBDD94FEAB0E997131278A7FF08E7045A3804DC82C990732D8A842EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:19.213{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4490AFC57E59C4ED18D3EB3ED429A28,SHA256=43D5D7AEAAE281C35E22B83724F0EAC5241E65F39B571541F8372F2311896E83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:17.496{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-61492-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:19.429{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=194070E84D45759FCED9473A6B4DF2ED,SHA256=E0E39F7528F98E4F7970BCC2FFE3490ED4723B6A303FB71BC0AB5F86FF6AF511,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:20.779{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4737E6A2EDF5088EC69FE9DD0298882B,SHA256=9A6C12977A83E2192461EAD945DFD0F86D6B28CB27ED73CE7002AB144BD0F340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:20.229{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D347C1CD386AB870546C760C1A0D42F,SHA256=E366A56A35C7D879B1708358094CBB6D61D398B08B5965DC3BF6ECA51804CD2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:20.135{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E99D1FDFA892941BE8521918FB288992,SHA256=8E65C190A6EF135AD5CC63A5044BC1ACB29037611D6D8FAC4713B625BB388404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:20.135{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1E70D03BAF7D843061C1CFF901C47EF,SHA256=4D4F85F9176AADDAD7B216E6138F1233066C519C73F7CC8A69AC992EA45C00D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:21.809{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD9E47A323F83DFC823A9763E606CC53,SHA256=6C29ABF45789D143BC21915601D1AF47301FE969DFD34C0D3E5DD18FD24F84CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:21.667{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E99D1FDFA892941BE8521918FB288992,SHA256=8E65C190A6EF135AD5CC63A5044BC1ACB29037611D6D8FAC4713B625BB388404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:21.245{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=047F0AE194BCF16A21BB8DF935775D4C,SHA256=594C48FB597E15F031F798F941F51F290ED8AF4590E834A4E2BF37C9E99C1CEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:17.935{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49521-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000972676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:17.699{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59059-false10.0.1.12-8000- 354300x8000000000000000972675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:17.337{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-63121-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001043460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:22.961{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001043459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:22.846{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E352A1C8DB6EE6363F1D7868973F072,SHA256=260F786ED0D2049AAEC6EFF25457451083DB7BC8314DDDA805290FACC033A604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:22.439{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4281MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:22.389{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF46CDE55E9F8B0A248F96152A103799,SHA256=13619DE0665C8075B1844B9D9989CA8260FE38B401029E80DD8CDA3802E7933F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:23.859{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23A76722DD6040C6BBDCF01E49D18E8A,SHA256=C4EC7022CEFC4FABA2ED20516AB466E4801A9C4E6774BFC4A15B8FCB7F934490,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:23.852{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:23.852{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000972685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:23.626{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA7EA01E09E3BA60E8D7A89D9DFB4AE6,SHA256=1A290B6CE227D861EC0862F6B9F3F3974E9A18FD336A1C9CC70294C5417EF723,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:21.838{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65352-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001043469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:23.251{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:23.251{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:23.145{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:23.145{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:23.123{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:23.123{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:23.123{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:23.122{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:23.108{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000972684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:23.437{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4282MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:20.203{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com56530-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:23.030{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72714526D69F8CF5F86EB68B35492099,SHA256=85B4464602ADC038F8F7B85ADE6C1F769D1F5D2DB32F9F16E3770EB5B058828E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:24.848{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52EA77908634FDF379487F7454211944,SHA256=21BC7DAFCB8BAC6301D6FBA7515F4F7795132E69462042543F56C46011CE9592,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:22.820{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51830-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001043478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:22.806{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-429.attackrange.local60405-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x80000000000000001043477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:22.806{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51799- 23542300x80000000000000001043476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:24.734{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C88E9EFF0CF276302BD265BB16883CD3,SHA256=883EC8C67D5E50EB5B62A8089ADBE1C5DE715258398F209EFE122F2A7C75D746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:24.734{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5023576BE7D411CC4E1E381459B602E,SHA256=94B5BF57B7349E092986C6D0618B4443340768AEC695AED09972AFAF2EE2EDEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:24.020{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\cache2\doomed\24892MD5=916A5A6FA4FB9374FC8CB7164BE5A878,SHA256=7792045DDEE26728C545711729A259BB208A3097310AF37718566119C9AC903C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:24.332{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=827C1752C94EBB182FC732A6D383D924,SHA256=334A2AF2313250F117468D139621882C8EC89D79B0CA465C2E3FD887438EDE43,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:21.367{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51574-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001043481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:22.974{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51936-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:25.084{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF2AC3525D2231BFA6960E97C47807E,SHA256=626E624368B085B4C06D7FEADE2ABCFDBA2E553FD80575A6E61E2EEEA01814C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:26.894{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-846A-6151-0479-00000000FD01}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:26.894{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:26.894{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:26.894{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:26.894{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:26.894{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:26.894{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:26.894{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:26.894{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:26.894{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:26.894{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-846A-6151-0479-00000000FD01}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:26.879{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-846A-6151-0479-00000000FD01}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:26.880{69CF5F33-846A-6151-0479-00000000FD01}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000972705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:22.833{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59060-false10.0.1.12-8000- 354300x8000000000000000972704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:22.164{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-51730-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000972703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:26.410{69CF5F33-846A-6151-0379-00000000FD01}32403968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:26.207{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-846A-6151-0379-00000000FD01}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:26.207{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:26.207{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:26.207{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:26.207{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:26.207{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:26.207{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:26.207{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:26.207{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:26.207{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:26.207{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-846A-6151-0379-00000000FD01}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:26.207{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-846A-6151-0379-00000000FD01}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:26.177{69CF5F33-846A-6151-0379-00000000FD01}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000972689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:26.082{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E42EA3BF301757CC6EACC0C72BA216C8,SHA256=B67A1B1611209DAD9FEAF7E2860B8EA716EE88236B1BB950443F50D3336E4C12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:26.764{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:26.764{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001043482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:26.099{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA435A5B5D9F67E59248BC7936D4FFF2,SHA256=511FE9C11A36EC821B55A41A2528B1FF79E7BC791E8747BF934B57B7093CE9CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:27.582{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-846B-6151-0579-00000000FD01}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:27.566{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:27.566{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:27.566{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:27.566{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:27.566{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:27.566{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:27.566{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:27.566{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:27.566{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:27.566{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-846B-6151-0579-00000000FD01}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:27.566{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-846B-6151-0579-00000000FD01}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:27.567{69CF5F33-846B-6151-0579-00000000FD01}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000972722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:24.493{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse110.10.193.201-55581-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:27.332{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2241BBB219EABE040717354FF91210D5,SHA256=393423B12B987AD1DEBDF9B9D247BB50401F2870240D36D13850D055667D39BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:27.191{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8EEBF5633F37E63C8593831C8200875,SHA256=41BBE29B3556B91DA9F7F9CF8271C16C48BC92DF0743A5D2E6C443AE2A0A8BC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:27.137{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=826B6770DF8ECDF3C3B58134DE2AA456,SHA256=2D5DA44078633583A3CD9A44FD5BADD4115351ABA32D116E7A21C7A2B2E3FD72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:27.067{69CF5F33-846A-6151-0479-00000000FD01}12522840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:28.957{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-846C-6151-0779-00000000FD01}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:28.957{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:28.957{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:28.957{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:28.957{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:28.957{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:28.957{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:28.957{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:28.957{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:28.957{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:28.957{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-846C-6151-0779-00000000FD01}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:28.957{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-846C-6151-0779-00000000FD01}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:28.942{69CF5F33-846C-6151-0779-00000000FD01}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000972751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:28.582{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA7CC7BAE70BB2584C223A12B52F8D72,SHA256=3120CB4AA1C37E9B7BA007F67E7C40B35EDF8996986398C869A4AD149DC0FB9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:28.488{69CF5F33-846C-6151-0679-00000000FD01}18964004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:28.270{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-846C-6151-0679-00000000FD01}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:28.270{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:28.270{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:28.270{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:28.270{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:28.270{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:28.270{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:28.270{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:28.270{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:28.270{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:28.270{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-846C-6151-0679-00000000FD01}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:28.270{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-846C-6151-0679-00000000FD01}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:28.255{69CF5F33-846C-6151-0679-00000000FD01}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000972736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:28.207{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=469466134E58DAB160957B4960C959F7,SHA256=CA0C08FE8CEB65A8FE134B477AFDF9D363BE4D412D92CD26029B905A119DFF2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:28.928{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001043491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:26.844{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65357-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001043490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:28.140{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6606866ED146C4411EDCC094899AE02F,SHA256=C243E0FC9E3B9DE911CDF6B8EBFDC00B02BCBEB837C341DE319532B6FA56D285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:28.124{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-walMD5=2EC8834543C1ABE915E7753E8ED6A08C,SHA256=078451ADAAB71E9A76D56732BC43176958DB42B63508FD9A3A33FDC43D15D96F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:28.110{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-shmMD5=6DAE01D8C72752CC8288FDC4167C42EC,SHA256=2092E8C8F6A426C06F02511C680490958092D26B326CB76F8B276E344A88D47B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:28.110{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io\ls\data.sqlite-journalMD5=33F03712155AF701868E1A5D41028A88,SHA256=43E3C87BB3DCD6BDA935611BA6D0DE14FD947F5AAAF7C59D047DC030070E6469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:28.096{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io\ls\usageMD5=D13120FD3588383D179427E60E3CD802,SHA256=52D12AB0A3FEFB8128D589A9001C57430F3DD258A41F2F45D4A58801D7342F4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:29.894{69CF5F33-846D-6151-0879-00000000FD01}5163108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000972779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:29.739{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E242893B377F46BA70E457E0F3A933FD,SHA256=D2E1C00A4F2B6B1D68D7B65779EDCADF184CBAD59B4EE8E52387DB0B1975E0E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:29.739{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=427853F571E00787F2C005A8209EAE40,SHA256=D457235EC9EC6D9FBD09994B07E353CE2208E079C02E0FED793E786C19E2D1A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:29.644{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-846D-6151-0879-00000000FD01}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:29.644{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:29.644{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:29.644{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:29.644{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:29.644{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:29.644{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:29.644{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:29.629{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:29.629{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:29.629{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-846D-6151-0879-00000000FD01}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:29.629{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-846D-6151-0879-00000000FD01}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:29.630{69CF5F33-846D-6151-0879-00000000FD01}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001043496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:29.187{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF7EF50439DA2A157AD3B2355A7C3885,SHA256=52BDD4E8F399335117EEBB42CC72E357B1D1A787B9A9A146DFC27470FF5D5F99,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:27.677{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65358-false104.18.9.111-443https 10341000x80000000000000001043494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:29.070{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:29.040{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000972782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:30.754{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6617334949D1939497050242DB029DCA,SHA256=8A2E77AE30C3B6D191FF284EB7592170269847FAFD9A890B6F7A95E97AADDD58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:30.660{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD400224891F7D399FDA19304C064D2,SHA256=09E24B75312D7713B37259E8785A5B321BA6F3A8D334D85F72C73C11716F5999,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:30.358{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:30.358{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001043497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:30.199{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29730A3EFB35F99EBDF68BE960904DC0,SHA256=38944B4063309A87BE492DDAC307F9E47B1D1CDD2017E813389F303052F9F574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:31.879{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEE38285529D048734962C9BD1D9E173,SHA256=890D34E99FCF496499A6D1E48EAA82991AF626E7807BD45DEEE8D82F9DF0B5AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:31.233{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC009BDD9803DB90C280A5A1282DF35,SHA256=15399EBD092D4BA13ED9260084E7B9BAC740496269C493BF467FA30E266A5888,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:32.236{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE653C552DDFC2AB9CD1470A2F494474,SHA256=A96496FFB27130856CFAE8608E9A56F401725F0FEF6CF80DE4333616A089555A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:28.739{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59061-false10.0.1.12-8000- 23542300x8000000000000000972784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:32.332{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4E99A9CFFED69D1ED28B2614DC67BF22,SHA256=9158247766214F83B76AE929CACC19D3DAAA4591740099BFDB14272F6A696F0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:30.424{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57249-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:33.519{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01FC9E19B8C843CCDAA39CFA2B2D412E,SHA256=04029D0FCA15AE9C045F2F80046B1C2246FED5405B687EA57C885242D3F514AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:33.113{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BE06E34A3F31EE3D4AAB72C76DB9EAF,SHA256=45C4EC9C8D0B9D94500F28C766B7F4E938EA95BA92EBF7A37A3092A843DCCA70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:33.708{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-walMD5=A53333A7F8ABC36CC04A3A3ADDA6808A,SHA256=6B1840022BC1027F612D4445A4C785E6A8A93CDF0C839898BCD17C1B2487EF12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:33.708{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-shmMD5=BA4B9924F8A98C775DCECEBA05CC2186,SHA256=305231317D944261502164E3E63B658B0E6DE75FC02D8EB844ABA1890A3410CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:33.694{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io\ls\data.sqlite-journalMD5=A5814D9A75B390FA473D39766AA95E05,SHA256=CEE3F62F8DEA46309BD25E4941FFE60014E1CD03DFB8CEA1FA0072813D030A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:33.680{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io\ls\usageMD5=D13120FD3588383D179427E60E3CD802,SHA256=52D12AB0A3FEFB8128D589A9001C57430F3DD258A41F2F45D4A58801D7342F4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:33.246{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=383E148E79434629EA86FDB069218FF5,SHA256=76845155229FDB2BA5EB3E99489D6821F3AA1653ADEDACED642AA84587BD9485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:34.160{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6AADE7C14CD4526084630CE0CEBDE87,SHA256=4C5E284FAD9757C8268ADA900B3C1543A08CBBA35A277A4E860E783C0CD7A1F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:33.296{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60567-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001043511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:32.785{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65359-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001043510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:32.679{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60155-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:34.295{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76657B45742DADE512DDD397C4A6D33D,SHA256=89C61CA536A34CA6031CF7A9DAEB98772024506823CC67A94FDDCE9FE1316A48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:34.295{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C88E9EFF0CF276302BD265BB16883CD3,SHA256=883EC8C67D5E50EB5B62A8089ADBE1C5DE715258398F209EFE122F2A7C75D746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:34.253{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87B363F80A88C516D7A60BB9501C8CBE,SHA256=86046F934193DCE348226F40F484A76ACCCA440E7611556292D1E1C08B9249BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:35.349{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=035936F38D4F6AF24E2F84290D226DEB,SHA256=3B330F7ACD0B40855083A68FC59974C128CFEF4C1BEC5D28AA3A7388671DA24A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:32.991{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58868-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:35.348{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B12DC345AD64E10B24206EC93AF888C6,SHA256=3AA08DE19CDE47F2556F7C11B7945FA0E75E7CB4D7D8E3C25E16C22449D15813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:36.597{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5361723209067FA7B51E6CBDAD87C82B,SHA256=E7863766871186782CC8A9565C0C173264F9A8AFB25665E7CD430174176800D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:36.363{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0915AC5D2392A49941307B56200DDCA9,SHA256=0A6B023A51F298333911D5DF6380AC45F593BC85E3C13B7555A5A3BB498FDB9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:36.354{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0980F4E64A84B349652C035CDCFFE198,SHA256=194BA472EE2B2A68789F53B4BBA220834AD52B9D1B022C3AD282210ACDD726A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:36.011{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:35.689{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65360-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001043522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:37.357{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F437DFE20B0B9A19031D7408AD11102,SHA256=C43590DB2C26E36B89DE3B7095FAF3A98F57301F12939F279632EBE888058796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:37.394{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3689964D51D1FFCA99C5390C39C34A4C,SHA256=40F84915D404999F4213978346D455C1F35D0BFF64938FC9CE85C4AA60204EFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:33.739{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59062-false10.0.1.12-8000- 23542300x80000000000000001043521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:37.127{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=15474D4CF87633BD6BBEE11E337267E3,SHA256=4C8C917FB9577E3865275AD03A3C3478077359710F60BB5913B0B1617E997E7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:37.127{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=546623BC4FEAD3FCC085E96059BD330B,SHA256=4FAB5714A527C8507D00D947C10FDE9FC2096F406DE18889506C5A59D859A615,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:37.127{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=15C3B817F3A09206992ECE685B613F6E,SHA256=40DA13500273A344D50C84F0341360104E3B61A66A91F95CEC589A2AEB1E836A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:37.127{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=D980CFAF6858367114712F29B748B5CD,SHA256=33233AC72AF695B0F9C1200370EA7C674328906B65AC728C6D940BA580E315B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:37.113{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=A645DAF342991B46FF3020AF87BD532B,SHA256=40744877308FA5D54F6AEA7D60D1ADB4F47EAF9765E69BD085ECBA6A10EAE52E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:37.113{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=6C7638D976B37B12E86562AACFE52403,SHA256=2C258C8D61FD441FDAE571D3194942EBEB52ADBAC0F16CA2058F9C4F41B5AEF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:38.401{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FA80104E5F6D834B9ED10B425E55CD4,SHA256=7559EC8B839730D4296B10C44D56CE0CD2D2E619A60D471E9954F08F59B14706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:38.395{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF4D713DED69BF1FBA4F39420F111D6,SHA256=F28E46A7F55B583DEDA5B09CC4EF08C827349C26F8996956AD50C0378C91151F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:38.379{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8476-6151-0979-00000000FD01}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:38.379{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:38.379{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:38.379{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:38.379{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:38.379{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:38.379{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:38.379{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:38.379{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:38.379{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:38.379{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8476-6151-0979-00000000FD01}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:38.379{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8476-6151-0979-00000000FD01}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:38.364{69CF5F33-8476-6151-0979-00000000FD01}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001043527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:37.864{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65361-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001043526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:39.417{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF805C6F650227775944B343721D69F2,SHA256=725DCFE361C85A8A1C79435B9A0C5598EE9F6A3CBE69C4C0EEDDE72BB72A5C65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:39.410{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=723F12697C471CE47B8C133C0C3E29DA,SHA256=10B71D407F696C56BFDFFF949A9B5AA1C53B2C54CD7922D76E4BA9AC144A898B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:39.410{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9CA8549FA42ABD24863C581B1D8EB79,SHA256=E4E0F12FD17CF479F2ACC1165B5DF8831B819DEBD86B18594E3B5F1D3EB67F54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:39.030{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=40BDB730A9428341BABDCF44772C580E,SHA256=2296580BD8DE94060875CE0B7AC68D283AE1CFDF9E52CE45FDADABDFA7FC5259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:40.418{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81027D2D0578D604F77BBBA9957C1C43,SHA256=72551BC2841714C40980CD351ACA0031460C5A257BDCD2325D33730B05089E14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:40.410{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B80F68EACB7C07950616B28170FDAF70,SHA256=8ED55BB90B7FF165959E2D2C4A4FD704A8C88EF216F33B9746850111904B0168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:41.578{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=561042AC3A26DD18E9299A317129AB82,SHA256=A44AC2F7BAB8439DA85C5FB5107F33CDB73BE2F517E2CCB7914209B1220C8BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:41.644{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8513883A7158A64A2035A6A7E4E8B698,SHA256=4A8BF0A6E8F7338A69A8A6926C8BE571AA9B3AADE64F75C9D985212FA0673F44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:41.426{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83E629427FEB1143FE8B2AA6354CAFC7,SHA256=653F6EED15A0F6C6C84763340F22DE94655EF083067ED55BEA9193F2B4E97450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:42.437{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5804A709ECA7C4E15EB2C139FFF1AB20,SHA256=9B139F50EAD2A5F81829DC2AB0DF13F37F52FDEB017CBBBA151CE6F4C069148E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:42.579{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B037AB7557528FAECBAFE150DAFDE5,SHA256=159FC49F323895EFDDE134158F0EC5E7BB47A8FA902FFE20B643AF4A9F56879C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:42.134{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=60939FCBAFFEFE80F86DA53A42CBD73C,SHA256=21D69184FE3174FB97DAE27E5AC6BA52B8EF998B6E8853499D4DDC290CDB0F80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:42.134{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=BBA5C04E37C9F869BDE8A31161D8B47A,SHA256=816FC0A18E7619FD676A17A35828847B37359E1BACE46D587C8B34F2FED739C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:42.134{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=0A5CA8965F39E840DBE81A4A8FC83828,SHA256=38D1CA4A8DDD9F10781759A91F02E6934AA4AAEA657EF7F95889813302E6801F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:42.134{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=A553677877AAA236760C3DC001C7D72A,SHA256=8E114E042454D046ED453A1FAE8F10FBB5A3B6231BC957999B330078CEDBBA00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:42.134{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=573C3DE113C5D630F2528C75E6777549,SHA256=F54C0A0084B1A08963BAAB115B2F668F884E0A70F0CF1692DDDD97088A8F3CE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:42.134{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=152E1663DA913B1B94E4238E824F1DE0,SHA256=13FAE17830A24AAA882A55D4D3A8B998F583ED92F5A1F9D35113C19A8BE9B9A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:39.692{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59063-false10.0.1.12-8000- 354300x8000000000000000972816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:39.675{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49832-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000972815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:38.978{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49170-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:43.452{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=800EED52FC76217E5D452FF7784264F0,SHA256=660330554DE0EE9E6BD3406D5A670A55DE30BAD97D9ECE2401CB0F232451D8C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:43.581{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E4FF0D50B5A157F44DE3283C3C29C3B,SHA256=3F8EA089999D71958ADBDB90FCFFF9DF919FCBE0B9998E80BCE0AE29AE180897,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:44.546{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7B6A7A83B3EA0D407B678F29549F8F0,SHA256=85CA5387F30ADFCF3D52777F868DAC56A1B4F84EF0211751052D95BBF0ED1520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:44.452{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E884695DB8E2E73885B8300BCB2297F9,SHA256=47B79115B6BF9181716D6F9EC02F1E605905A8A373C148BE94D7C89E8C4E6903,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:44.983{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-847C-6151-6079-00000000FC01}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:44.983{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:44.983{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:44.983{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:44.983{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:44.983{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-847C-6151-6079-00000000FC01}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001043540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:44.983{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-847C-6151-6079-00000000FC01}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001043539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:44.967{5EBD8912-847C-6151-6079-00000000FC01}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001043538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:44.582{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3AA3E601FE67D94F1078D2A5D535318,SHA256=1F40D6810B99BB5DF254725A05AA79A045FDFDB34759650075413D9D769CE9B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:40.878{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de53036-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001043559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:45.970{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5667751929301AC4A75B7910774183FD,SHA256=4AF1A409BA56A5C535BFAA6A5FB6717CB52666F8D998C811AA87D8185CCE035E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:45.970{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76657B45742DADE512DDD397C4A6D33D,SHA256=89C61CA536A34CA6031CF7A9DAEB98772024506823CC67A94FDDCE9FE1316A48,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:43.773{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65362-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001043556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:45.669{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-847D-6151-6179-00000000FC01}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:45.669{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:45.669{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:45.669{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:45.669{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-847D-6151-6179-00000000FC01}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001043551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:45.669{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:45.669{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-847D-6151-6179-00000000FC01}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001043549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:45.655{5EBD8912-847D-6151-6179-00000000FC01}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001043548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:45.583{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B95799E90080B8C8DFA9F3722ED2AA6,SHA256=8DC6D35D15D85B925BEADE719C76F6BFA1DCFCC78FD3438E33E3DE33CD81A6DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:45.468{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C82675E58B37EAE2158584241DBE3FAB,SHA256=1A7C7FE5C9BB7728CA0C6AF691A95570564D30F85B59F448A4ABA5B5A1EDD3CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:45.197{5EBD8912-847C-6151-6079-00000000FC01}56723164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000972824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:46.468{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47BAF515AF31FD23D4C7A1D5BE0F93FF,SHA256=668C9BE9C51F1DEBA17AF606FAFB47F5027BC07A00228F7A98383B9C0AF49331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:46.585{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D54422FFD2CA6E83B6819BCD034FC334,SHA256=9E2C864D466F129050238306143F98BE1A927D8ED68D3C2E260939F571B01900,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:46.240{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-847E-6151-6279-00000000FC01}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:46.240{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:46.240{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:46.240{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-847E-6151-6279-00000000FC01}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001043563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:46.240{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:46.240{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:46.240{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-847E-6151-6279-00000000FC01}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001043560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:46.227{5EBD8912-847E-6151-6279-00000000FC01}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000972825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:47.718{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93482FB0E0A38FD987F4D494C175395B,SHA256=CFF2D7067203AF13A403021E28B28578BCAF0E131DCE7A318E401E610BBFB776,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:46.428{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50347-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:47.586{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=828281F454ABA9DC8BF99ED12F802DB3,SHA256=483DB3D15CE09F4B53503404328B6735174F11B6FE2E816058CE9C3809F9F022,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:47.286{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5667751929301AC4A75B7910774183FD,SHA256=4AF1A409BA56A5C535BFAA6A5FB6717CB52666F8D998C811AA87D8185CCE035E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:47.185{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=814F2E608C820A5CBFBFED33E1F6C22E,SHA256=A3C4A18668CC2B64971BC5D0EDAF6202452255E86B78A0CCC1F6658E23D00F40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:47.185{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=163A248EE5F00C0C1BB22173C5459F86,SHA256=FBDDBAD341527E9D82F845549625440F583C25C7B717D799350F6A97D6A4349E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:47.185{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=68418FED9301173E5746B6CEACE65C5F,SHA256=C7C4BEC3F799CBDE7460EE3CE72CFCADDE646D22A6048E14C84A3FDC16BE27B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:47.185{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=D0BE4B0DD7CED2DE47595CD0597B05E9,SHA256=EACDDFF4806646EBBA1124273B0DB44A64FAEC2CD93FBD4EA048EE5E301E97D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:47.185{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=9FDB133A0417B7A6EAF207404F2EBDDD,SHA256=0AB79963B0EC9AC6181A654EF1FFFDCC86F8C09F2B35203616C4D07E18F42D55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:47.185{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=FEB51CB0D610A0EAF0671158F7F754E9,SHA256=FC1AE4D9124CA347A483AC3791486C81D1921D84A58C48AB14DCB96446D79550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:47.171{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=19857C351A3C3DE953CC6C05FC1764A6,SHA256=1ED751F323F1098F5147F2489186275A5690B1B59C592CF34080EDC79AF4C181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:47.171{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=1D854F36753B576BC2E62FDB6278B108,SHA256=38DC23C4E9B818BA711259164DFF2395B3F56FCCEE4F1373DD93D1FB13A9C156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:47.171{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=182E371F9E4C0C52E7B036D3A8D19A94,SHA256=B212D16E5E0224949B4085B1B48090C56BBB99E1CFA7F859D3948986ED8117CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:47.171{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=5E51FD0C0D5F6BED19E06F3174F45F22,SHA256=8DC8AA3C0561327D697D98139F86DE817AC203E13ECDB4C0F80D37411C05FD5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:47.171{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=07C3317105960BC67EE2ACEDB5905367,SHA256=94A596D360DD8EFBC381BE13B59230AD7AC26AB88EFD45677983327E07A99005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:47.170{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=9027EA1F13911B8A60F61902A6C50D8D,SHA256=2466F07F1AA081248959C023332FFE07F4153A2500E1D24D3FFDB5B2B0547531,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:48.937{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53A0A53FF6D53FA1E9DD9FA5D216000C,SHA256=9DA86144F7E1213ED1C9400D275FBCE4C4393C6B76F10D6C3345C41B6069FF7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:47.333{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.92.42-50452-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:48.588{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71E8C956B131D9409C1026F8E0058610,SHA256=280CF681F8343D2FBF23CC2BE8EE44AAF123B4E9FB86AC7326AD611D3CD086BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:45.719{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59064-false10.0.1.12-8000- 354300x8000000000000000972827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:45.489{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com35138-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:48.187{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78D0E22292F6E58F29841A38A2B1E261,SHA256=D7E6F2698882ECE268AB5A227C0376C9609D02F345795E5D79E431B90B42DFD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:47.927{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com38029-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001043588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:47.482{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.24.1.102-63363-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:49.689{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1611C641B96A0B368E42141D81EB3C0,SHA256=70B4BC4AE82577263DA50F1BEDE6445C033114D4E5D7BD592D6734AD3D89B2E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:49.531{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D781E754B56FFC4768429DDE6E612847,SHA256=267ED38666238829258F992F2789E536F2BC21D79E9F9727A777296ED402D5F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:48.808{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65363-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001043592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:48.342{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51506-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:50.851{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=267837DD848302855F36F3BFEB2B55C2,SHA256=7516F1C092AFF2268F8280EF6A45F985F2D53F241BFFD8B78670D82DD98C2FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:50.849{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4281MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:50.171{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7589569AC5010F3E504EC38290089D,SHA256=30839EFA2C62B15133652C47AE88E9111C9D335D58FD64AB6210A0C93283FF1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:51.854{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD0D3C1AF7B6055EF5C976D0CA6A0FD2,SHA256=39266BBA550C48DF5CF6990C7D234609CCE0134B5CDB32281D6DEBFD8A973F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:51.405{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD0032D4E2A7A3E94760FDE75F5F846,SHA256=C9608A1DDCDB9788E66460C6BB3C80EE35E7672089600B59680DAAA0D60B0FE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:51.849{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4282MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:52.893{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCB71B063A1735800D9102EFB1239F54,SHA256=9430BADE1E7212C265F27B4FEB3299B99BB42B676AB1C993C946C31790253897,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:52.530{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF8F370F16CC9FC97B04A96B96698B0A,SHA256=391CD56DBDBDE9509326200D9A224FF3EA7657E52896A08F1361DF7268499AEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:53.909{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4B7EAC7DE27F90955ED57AC7AA9E2A2,SHA256=89D03EC96791B1B95935530CA82C43858C4329AE30438952330EFE2308C5D66A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:50.734{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59065-false10.0.1.12-8000- 23542300x8000000000000000972833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:53.546{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA05BA228B5567C161D4F2182F9F113,SHA256=85AE24F9B6B348CD4374D6E335AF2D0E3B7F73687C53BC54745BADAA37AF682D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:54.952{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03D3C3204259F5EA4D5C0EB1FC48A603,SHA256=E583D5F168024356E94B41B1EF8F00536904C2A7DBC3D8FCADFE09FE233063E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:54.562{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D340ECE0606A46F9D0F3BB55B42D5F12,SHA256=99D2BF8CA526820C348C9A7D063618EE0C17FC97844F9069A52376F52E0131F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:54.823{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8486-6151-6479-00000000FC01}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:54.823{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:54.823{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:54.823{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:54.823{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:54.823{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8486-6151-6479-00000000FC01}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001043609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:54.823{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8486-6151-6479-00000000FC01}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001043608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:54.808{5EBD8912-8486-6151-6479-00000000FC01}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001043607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:54.401{5EBD8912-8486-6151-6379-00000000FC01}54323548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001043606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:54.282{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC733EC585C37915D97468F1F2D02B3C,SHA256=B7629F54B27A4AB4D906BD2D64B3DADAF889F5D6F6751F3FC1E138786930CBBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:54.137{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8486-6151-6379-00000000FC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:54.137{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:54.137{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:54.137{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:54.137{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:54.137{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8486-6151-6379-00000000FC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001043599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:54.137{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8486-6151-6379-00000000FC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001043598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:54.112{5EBD8912-8486-6151-6379-00000000FC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001043635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:55.983{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDDE044C30F03BE695ECB984695051FE,SHA256=7F8ECFB4474F8FB8D9EED75CCF8863B8DB1DC48CA8EFFD645CFF4F0BC6362A00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:55.577{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D17F124C41181C817816E43ACB014EFB,SHA256=B72F0979578CCEE8CBDF5E6FF35504EAAE669186F21557539CEDEC88BD0CC955,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:55.955{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8487-6151-6679-00000000FC01}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:55.955{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:55.955{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:55.955{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:55.955{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:55.955{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8487-6151-6679-00000000FC01}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001043628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:55.955{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8487-6151-6679-00000000FC01}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001043627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:55.940{5EBD8912-8487-6151-6679-00000000FC01}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001043626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:55.810{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=177EBA92E3CF57B04EE4E7FDFE27BDAC,SHA256=7B379BFB0A1F9011866887D13B152957990330F243C854D5212F96BCC1CF6CCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:55.394{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8487-6151-6579-00000000FC01}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:55.394{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:55.394{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:55.394{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:55.394{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:55.394{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8487-6151-6579-00000000FC01}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001043619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:55.394{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8487-6151-6579-00000000FC01}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001043618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:55.367{5EBD8912-8487-6151-6579-00000000FC01}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001043617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:55.051{5EBD8912-8486-6151-6479-00000000FC01}63125476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001043638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:56.985{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9AE2B48ADD844ECE9BD2CF9F3C2ECF4,SHA256=E4B04E97196936CBD621E59EB867377E10403EDB5EAF87FD316A65FA0D8D7324,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:56.593{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B1C4821C40AC962D056391DA3045CA,SHA256=3E5E71B3A05F420FC3F8E7FECD10D3AB0C977B2BBE9525CAB363AB9B10673838,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:56.944{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DFB0E16DED97C8E84213A68B986C824,SHA256=3860B6D988EB0CAEFAA1263CDF3EDBB7E901F6F98C529F17709393320A66B498,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:56.145{5EBD8912-8487-6151-6679-00000000FC01}29246028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000972841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:57.608{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1CDC24F734CD6046A012D503D19C9C3,SHA256=1E00171B60C56D89ADE8BCACB57777FF01841AFD3A61F6F882ED06BF3031D141,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:55.062{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62215-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001043639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:54.808{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65364-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000972840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:57.155{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC1D257C2BF04E0773916DB619259457,SHA256=C97463E8C04C4A6775ACBBD4FE8B75605820A0D77B7386F5D1F3A55C48AD4B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:57.155{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E1D6E1AF9C26683FCDCB996822DB5F4,SHA256=D4939C1AC6CC10325A5F8B4CABB4A3988B58BFCECE621F1295F6FE7A3B30E665,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:54.293{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55854-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:58.905{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC1D257C2BF04E0773916DB619259457,SHA256=C97463E8C04C4A6775ACBBD4FE8B75605820A0D77B7386F5D1F3A55C48AD4B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:58.609{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE6EED9142B9BCCBA4794C621F9F2BE,SHA256=F7D87EDE586AFC0DB67E7B10C97E41B314A6ADEFA54AA790629DC651B108169B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:58.000{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40151366E0E88C5EE3D3707ABB36BB2C,SHA256=22C7FFC4B503A118A3AD19F3608406FE34EC3B620C2A319824C5DCF3A17ED1CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:59.624{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D37CDC66503FF4B3FA09DBC7EABE29A,SHA256=F7CC995BB4DED75B8524E78E3BC9C3E201F44CE4E95C2BAD8B647C72E7F2CD99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:59.006{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABD10EBAB68B405CA28DD423C94A837C,SHA256=1E47854DBC94C327BEE772D00D26D5AD828E147F9E0B436768F7522C876457EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:00.624{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A42E7B80B40976B0655F1249936DBC,SHA256=61D7504ED12B685F8470897F21A1024E9D36C0E1BEABC95E8595EEC29763F1E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:00.873{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98122EFD540375167C7E46A30AD97CC3,SHA256=44B2DF48749A6464A7A51A285202DE8A0F6BA7D24B549841994EEBD596C16AAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:00.136{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=832B5BBCE8EE71E0D16F4473B8E502D5,SHA256=287638F3BC8512817A84A0CDD1829A24C4AB3C3010D6FA93B523652F0F0881BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:56.687{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59066-false10.0.1.12-8000- 354300x8000000000000000972845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:44:55.878{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56837-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:01.640{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB3E2CEA896189B5E1E8955B69161CC,SHA256=5DD7601964FDD3A0DB5CD4159F21123495A0A06BE3A6EAF6E0680D5A8A885FE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:58.777{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58038-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:01.153{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F156EFC51BDBF52E9C9824735117A0B,SHA256=C704736190838A3A173B903B49167B02B387BB97C8C1F91DFE13E24D3F1100E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:02.644{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9262C64911E8006A29D594C07296CBDF,SHA256=4D224E90D3C810ED51B3BC098D509DF8CEC29779082547E8F39D8157E0C0D45C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:02.256{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=1011B2107D63DE8B99B9D000A33625B1,SHA256=A42E141F5157DBA6BD08576BB8B7E2283A26153BFA2CC95362CD544624AD967A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:02.256{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=13B34632F204FD922AFC07F4E7765AD4,SHA256=63BBA2B43FBD06A65C0FB080DE3719E9C814B00F5D4DAFD9349746BF8EAD7D0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:02.256{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=6E9D3E8612B78B34CBB465E1A6385952,SHA256=E34B2CA1AD31A5BE3DE94C8237933882395069F081DBF5E94D06B7724DD96D0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:02.255{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=CFE644990CC61C935DB0AAC56B0BEBC1,SHA256=8495AE639D002EF95801A8707B7ED6D1E00D004A2B34BED8353CF4CC0DDFB420,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:02.254{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=DC1758D3901D76A95916256C9CA93F74,SHA256=AAEECD0D0669A4F9E114D341219E9C298AC17EECF0D76F870080B731D6684BEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:02.252{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=68E110814F10FBA9B2B49957DBE04400,SHA256=DFAC114C24EB34924096A5BD63D5376B248BAE1BC5AA5E5DB474D6CBCA486045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:02.173{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D7E2A3C7610977335CE815DEF94B0A5,SHA256=12D8B830A86BA8EA52E3EB9C8CB227CBB23547B6AF1EB9754535D43549392CCE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:59.944{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65365-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001043648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:44:59.168{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de60387-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:02.004{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EACA937D299622515C5A953E8135C39,SHA256=0B7B681BFDF733ACDC46D8B4CD2B1DAA46D17CC9CD4D7FE411CDE9EDE05C954E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:03.660{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1372586755A47841E65A46C9833BB70,SHA256=AC56C4230EE01BB43FCCFDD059A2A8DC63365A21D1F69992A052E62BDC04C6EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:03.204{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1614C9FD95367F21A91E6AC1952902D7,SHA256=9F8C09B7F928AF1F9DECA8EE6958E714AB9C12FAE0E6659F4F14326A64439B97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:04.675{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4CE623783295E3AFDAA359BEBF7DA63,SHA256=D55A4D0C6231E796AF34B1F528AE00231F524A4396D508D9B626C582335E3006,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:04.272{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19DAAF8BC1281B1DCF50A216693EEADC,SHA256=9FC7B34CA86E6D9B90E665E60C6789B589A299A0F341785062FA2B6385DF2154,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:01.879{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59067-false10.0.1.12-8000- 354300x8000000000000000972853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:01.398{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-51974-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:04.097{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FF79DA5941914EC0BC9EB8666DEB9D3,SHA256=1EEC9F383D8ED6B17EEA62577CE0C88B3D18E9046C503FD73C49915AA63EEB2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:04.097{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E62785EDC041F9FB4EA9A4E2288C262,SHA256=3015DC5E94459964DB0C85D89DD7582C5F2857FD06E582459821E46F64C0926D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:05.675{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0256A8682C07AF1B32C1DE811DB876EB,SHA256=3AEB92936B9B784FA656C453E64A23372DE87AADDE45B9E883E5DE5FA0CB2807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:05.302{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35EECE9EE4A59BACD0D250AAFCB7C2EC,SHA256=1AB963AD3E326B1DDEC92DF228C0F368CA3DD3C97AB452AD6E7C2C42088B3B77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:06.691{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FB151346959AB665EFB49F2AEF88266,SHA256=6E028C532C83C041E9345F6B429A87797627CC1111D7B268E36B4809CE4F19BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:06.318{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E5D5856017CDAD5C6FB5C71495C3F1F,SHA256=0D87DFAAA4590714D113651B47F2C530FAF6B1B2C6C16A828CC913160068E801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:06.582{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FF79DA5941914EC0BC9EB8666DEB9D3,SHA256=1EEC9F383D8ED6B17EEA62577CE0C88B3D18E9046C503FD73C49915AA63EEB2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:03.949{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-60904-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:07.707{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02C5F82913B062C76B14576671E762EB,SHA256=4999A6AF39D46178C82D4C8D5944E8C4CA992DF8FF2249AC718E98F47215948C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:07.355{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC665AB446180F0D89A91005A5658DD8,SHA256=1B303662405E2408FAA282500FDC325CC66E6AAF36C38A5F8B2F9D67EBE06506,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:07.660{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:07.660{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:07.660{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001043666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:08.702{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2665B7F43EDCC641C8FBBCFBC0A861E,SHA256=902089CCDB1CD1C8E12BFBEE2317E4DBF33D59C3E94C77D1AD33E4397D505F3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:08.702{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9662F7E775D03498D5CD94D684F54C2A,SHA256=5130E52A28568D0B08AEB5B90EF1A2251BCFBC3654E4C979D70EFD67DE5996C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:06.360{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62696-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001043663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:05.894{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65366-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001043662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:08.452{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C965B94482FCE0102E1004CE08AA7A87,SHA256=13AD8AFFDD507424D67354989C6BDAF9AE9B9DE4F566F69612454D368ECC9FE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:08.707{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47132F3354661FD52C0B4E19688ADE36,SHA256=6A8304F05B30231283BAD184D0AF1355CA993DB35FFCC90C2618CBD88172A5F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:09.722{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=399AD7B4F56D4A71497DA575723747F7,SHA256=B60D7464B929F8A0B0A2E5714E01DAE2F864C38D08E435C3004E7014E1276021,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:07.622{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63581-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:09.502{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3F9C8734896D39FF9EF500E1AD3F40,SHA256=E0639D7561A2A5ED1049DBE0AF298D7337D91C21E4AD3C8643DF4D90625D1364,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:06.441{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63479-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:09.394{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4A12468C43267E1D6C5D996CE0A0EDB,SHA256=688CC721D0F812DD2F2F3B1936074F12A265C92345695FE447190FE3A75CA29C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:10.722{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F47074179C5680573A0832B9B5C13A3,SHA256=F673AB568992E8C86F674240D66B0035761021D556E55FFD533AB090FB97779D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:07.707{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59068-false10.0.1.12-8000- 23542300x80000000000000001043669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:10.516{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C82EBFFF2A794FCEC610B824A4024DB,SHA256=A198D15E5E3E2647D80FE006AF3BAF1C9A074A78F519043F7D8193B0BB2BC16D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:11.738{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E776DD766C2404FF7DF0D11EA2A92A8,SHA256=6E7559956E8F03A2237483B5A5522264FB4FB2009F673487DFBEDCE67BE8D38A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:11.550{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7B2D3C468A1F1015B5C39BF8C2245C0,SHA256=54B2698C7883EB83EC70DF90B9E053A4C96CE92DD5207122BF1988A7417E214B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:12.616{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=251B616243F6C18FBB002855A5A66816,SHA256=FF7343D85C0212877123B827E5EF2AC65B2827B588D7510CA425048D245D33C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:12.738{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26EFFD323CDE6DA2013226F287550DF5,SHA256=8A3C254FEB7D8104F249179CF1D1C0A86A42E0C31F47596C14CC2769B671E10E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:13.856{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FADD80FDEDA486ED66141C7847938FBC,SHA256=488C522804D80E64120103134B23F46BC866DC4CBB4C40E2964C24CA0CE775B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:13.855{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2665B7F43EDCC641C8FBBCFBC0A861E,SHA256=902089CCDB1CD1C8E12BFBEE2317E4DBF33D59C3E94C77D1AD33E4397D505F3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:11.876{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65367-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001043672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:13.650{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB1AF85A85F5B746842794632EFBB874,SHA256=F8D6C466293C3F766144C5E4290664B1CE7812CAF81E06BFA691310EE9F4AC15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:13.754{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=267EC08FFA62BC89829DC9709FD2901D,SHA256=4362B51CA4B0EB1806B7A7661C483B572DEB076B25DB8C881F5C98D11DF62A18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:13.113{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:12.922{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60798-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001043677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:12.243{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60357-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:14.654{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DF851AD04AAEC8600A86918446FC4F8,SHA256=C7449ED4FBADAB1245AC930A5A9054CB710AB0D4F2627BA67819E0DBCADFF08B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:11.739{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59069-false10.0.1.12-8089- 23542300x8000000000000000972874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:14.770{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=286B16EB9FF11B4D29066BCFD84BB997,SHA256=68A08D8C74FEC8E79DC8A20BC2F1485EB9038964E38E74959EAF496DE957D412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:15.785{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E74058443B073F63CB408774EAE6D7,SHA256=43AFA7C3315E930285FCE9F8528750A6F5E43785AE0259B339105EB70BF665E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:15.687{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4787B12A83BC6BD0617FB5BF75643E2,SHA256=D4DD75749E25003A852DA9A072B4CB6BE3F424B48EFCA3A390B5A886709B322F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:16.733{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2299CADFF91D62E81DCDFEE116D170FD,SHA256=C0EE191E3DBE35D00C840A79C87760218B55A03CDA300F817C4314D8E74365F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:16.800{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F855FCD5EB2829B47A185F8DAF60BA,SHA256=69A08EA5CDAF7B404F6D10C28520C4A17299B59740B150C028222F15A3F003F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:13.676{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59070-false10.0.1.12-8000- 354300x80000000000000001043684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:15.742{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65368-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001043683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:15.742{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65368-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001043682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:17.751{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F79D8F97C31C2C939BE5883FE8403572,SHA256=59F797145F1240C55EBD894F957A184C55E611FB13FDA24810C8EF8B31DFED6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:17.800{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8B3F4933CCC0E1B47BFAB4DFD2FB2C4,SHA256=7C37803BA5B843148A60433B746394754D50568EF2D120D7B28763296F198D5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:17.154{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FADD80FDEDA486ED66141C7847938FBC,SHA256=488C522804D80E64120103134B23F46BC866DC4CBB4C40E2964C24CA0CE775B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:15.266{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52678-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001043685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:18.832{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EFDB7CB1833034DD2D529874D0D12CE,SHA256=C0C0AB6FB576D6DDCC4056CCF1424D9692311B243BBF318CF873D80E030B5D5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:18.816{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3305FF27888DF102629D17AF4854024,SHA256=CE6B208AB15F5D99A8BA28FA27C34E552AA44C3774E28A3C2F1EB1A0FD6005A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:16.007{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53130-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:18.113{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F015B7A4A5B2CE64415EBF9C83ED668,SHA256=BDB033CEFB40C51D286705D11D27C4F48C4C19620A6FBF6BBA98443079047FDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:18.113{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E227BFC6D4E95AB326D525F20642D5EA,SHA256=B97F2D8E8408E276FAF96764B5A4D45688FB786A4C40BAA37E880B2877AB2509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:19.901{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA0D8D30898388BEFBF373B631A9A05,SHA256=8B4A25A6051C17416A095C34987C569261751CA005132A9FCAA70D63B43DBCE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:19.816{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE8E9CBF37C23D92D1B651A5B7B62C9A,SHA256=D1C3088A4ECFB61F401451F1023ACFD9415884C4C5B59C57AC4045ADEF425D93,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:17.840{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65369-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x80000000000000001043689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:19.773{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\AlternateServices.txt2021-09-27 08:10:19.712 23542300x80000000000000001043688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:19.773{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\AlternateServices.txtMD5=6209BD3B3B015A174B7680B18C248ABD,SHA256=8322D0A378FB351781406E33F5E02BD26166F9FDCE9BAC26A216D5B358CBBE90,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001043687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:19.350{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\SiteSecurityServiceState.txt2021-09-27 08:10:19.295 23542300x80000000000000001043686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:19.349{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\SiteSecurityServiceState.txtMD5=376EE6A64DB27FBA70F66F5A381206D9,SHA256=4B92E20FFB8E5DDFF9606BA04E92D89DA1749A20A8DF9561E025BC4B6A11693A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:19.769{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F015B7A4A5B2CE64415EBF9C83ED668,SHA256=BDB033CEFB40C51D286705D11D27C4F48C4C19620A6FBF6BBA98443079047FDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:20.832{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F490BB273E4D1C220E5362E6AD422768,SHA256=2DA5F98D1792474F245FF4C4D75E27E98E1F5AE3D383C38C67179C874CAE0025,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:20.916{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75F17D159A28E7434BEAED89999BE76F,SHA256=E293F6A6BBD497E50C4575E416A364ADD8C00F1B5DA6BA50AA47A644B0C0810D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:20.485{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e4901f|C:\Program Files\Mozilla Firefox\xul.dll+e3814d|C:\Program Files\Mozilla Firefox\xul.dll+e395b4|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8 23542300x8000000000000000972891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:21.847{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36CFB118463B725D6D0FE8BE960CD9C3,SHA256=30629A9ED709C7E85C47D3AA4DD58201FDE4CAB67EC3C0C348E4BEEB8E84CB1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.931{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=827855D24712351F16BF97D828AFFE08,SHA256=99204FC19721696DD2B8A6D6224C3ACD99872FB14E39739435E4C7BD285E395D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:20.205{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65370-false104.18.1.145-443https 354300x80000000000000001043741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:20.197{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54457- 10341000x80000000000000001043740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.688{5EBD8912-7B3A-6151-3A78-00000000FC01}71206188C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a02441|C:\Program Files\Mozilla Firefox\xul.dll+a63798|C:\Program Files\Mozilla Firefox\xul.dll+ce8b1|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+173c649|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26cc2|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.672{5EBD8912-7F30-614D-1100-00000000FC01}4041624C:\Windows\system32\svchost.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.670{5EBD8912-7F30-614D-1100-00000000FC01}4041624C:\Windows\system32\svchost.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001043737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.658{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9635BC722710D3A173D3EEE316A28A2A,SHA256=76FBC1676DDF59F2D93C32AF6DC4C4115270D3A4FD6C69CBB28155CA67E91DA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.657{5EBD8912-7F2D-614D-0B00-00000000FC01}6244660C:\Windows\system32\lsass.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.657{5EBD8912-7F2D-614D-0B00-00000000FC01}6244660C:\Windows\system32\lsass.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.642{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a52a99|C:\Program Files\Mozilla Firefox\xul.dll+e415b8|C:\Program Files\Mozilla Firefox\xul.dll+19d7315|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+19a2909|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x80000000000000001043733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-27 08:45:21.641{5EBD8912-7B3A-6151-3A78-00000000FC01}7120\cubeb-pipe-7120-6C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001043732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 08:45:21.641{5EBD8912-7B3A-6151-3A78-00000000FC01}7120\cubeb-pipe-7120-6C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001043731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.625{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000001043730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-27 08:45:21.625{5EBD8912-7B3D-6151-3B78-00000000FC01}6180\chrome.7120.15.62054953C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001043729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.617{5EBD8912-7B3A-6151-3A78-00000000FC01}71206788C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+1b5a9c|C:\Program Files\Mozilla Firefox\xul.dll+a0c416|C:\Program Files\Mozilla Firefox\xul.dll+a06fcf|C:\Program Files\Mozilla Firefox\xul.dll+19c3d4d|C:\Program Files\Mozilla Firefox\xul.dll+19c272c|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.617{5EBD8912-7F30-614D-1600-00000000FC01}12681316C:\Windows\system32\svchost.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001043727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 08:45:21.617{5EBD8912-7B3A-6151-3A78-00000000FC01}7120\chrome.7120.15.62054953C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000001043726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-27 08:45:21.617{5EBD8912-7B3A-6151-3A78-00000000FC01}7120\chrome.7120.14.167279826C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001043725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.617{5EBD8912-7B3A-6151-3A78-00000000FC01}71203088C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+133dab|C:\Program Files\Mozilla Firefox\xul.dll+121475d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000972890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:18.863{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59071-false10.0.1.12-8000- 354300x8000000000000000972889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:18.660{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49412-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:21.378{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6B6FF461F0113795F047EDEB6A91B13,SHA256=A7A878D3C79A5DFD50151297F54466389904544A92337EE34C3C3ABD8A194A5E,IMPHASH=00000000000000000000000000000000falsetrue 18141800x80000000000000001043724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-27 08:45:21.617{5EBD8912-7B3A-6151-3A78-00000000FC01}7120\gecko-crash-server-pipe.7120C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001043723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.569{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e3a3a2|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.569{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x80000000000000001043721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.569{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x80000000000000001043720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.569{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x80000000000000001043719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.569{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x80000000000000001043718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.569{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x80000000000000001043717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.569{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x80000000000000001043716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.562{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x80000000000000001043715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.562{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x80000000000000001043714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.562{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x80000000000000001043713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.562{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x80000000000000001043712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.562{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x80000000000000001043711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.562{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x80000000000000001043710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.562{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x80000000000000001043709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.562{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x80000000000000001043708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.562{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+e3a04c|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001043707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.562{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+e39fc3|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.562{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+c1485|C:\Program Files\Mozilla Firefox\xul.dll+e39c9a|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.553{5EBD8912-7B3A-6151-3A78-00000000FC01}71206788C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a0040f|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+16620b4|C:\Program Files\Mozilla Firefox\xul.dll+19c2585|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.526{5EBD8912-79BB-6151-D077-00000000FC01}46125756C:\Windows\system32\csrss.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001043703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.526{5EBD8912-7B3A-6151-3A78-00000000FC01}71201744C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f04d|C:\Program Files\Mozilla Firefox\firefox.exe+2e255|C:\Program Files\Mozilla Firefox\xul.dll+1fc619a|C:\Program Files\Mozilla Firefox\xul.dll+9fbdfa|C:\Program Files\Mozilla Firefox\xul.dll+9f9fc5|C:\Program Files\Mozilla Firefox\xul.dll+a0123e|C:\Program Files\Mozilla Firefox\xul.dll+8ab830|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26d8a|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.526{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.526{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.526{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.526{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001043698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.527{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7120.14.1672798264\1090866659" -childID 7 -isForBrowser -prefsHandle 3728 -prefMapHandle 644 -prefsLen 15777 -prefMapSize 235573 -jsInit 1128 285716 -parentBuildID 20210903235534 -appdir "C:\Program Files\Mozilla Firefox\browser" - 7120 "\\.\pipe\gecko-crash-server-pipe.7120" 4440 16e72199138 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5EBD8912-79BE-6151-7ED6-4A0400000000}0x44ad67e2LowMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 22542200x80000000000000001043697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:20.511{5EBD8912-7B3A-6151-3A78-00000000FC01}7120dmcxblue.gitbook.io0104.18.1.145;104.18.0.145;C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001043696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 08:45:21.503{5EBD8912-7B3A-6151-3A78-00000000FC01}7120\chrome.7120.14.167279826C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001043695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.401{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.401{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001043765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:22.941{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFCD3AED883C690C0EFC70B99F9DA866,SHA256=505F152BDD3B0B60FEC5B3134DF999385392C0231EF5D6BF02122E9CFC072DD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:19.458{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50246-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:22.849{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2262E37A84C7BABC2CE7D5918B7173B8,SHA256=4B2B34C06DA8155D09C8F70965F1A7B950258F55432AE5D27C9A1DD89119BCDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.268{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55804-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001043763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:20.920{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65373-false104.18.9.111-443https 354300x80000000000000001043762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:20.914{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65372-false104.16.125.175-443https 354300x80000000000000001043761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:20.914{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65371-false151.101.65.26-443https 354300x80000000000000001043760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:20.912{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52378- 22542200x80000000000000001043759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.239{5EBD8912-7B3A-6151-3A78-00000000FC01}7120polyfill.io02a04:4e42:c00::282;2a04:4e42::282;2a04:4e42:a00::282;2a04:4e42:200::282;2a04:4e42:e00::282;2a04:4e42:800::282;2a04:4e42:400::282;2a04:4e42:600::282;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001043758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.229{5EBD8912-7B3A-6151-3A78-00000000FC01}7120gstatic.gitbook.com02606:4700::6812:96f;2606:4700::6812:86f;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001043757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.223{5EBD8912-7B3A-6151-3A78-00000000FC01}7120unpkg.com02606:4700::6810:7aaf;2606:4700::6810:7eaf;2606:4700::6810:7baf;2606:4700::6810:7daf;2606:4700::6810:7caf;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001043756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.222{5EBD8912-7B3A-6151-3A78-00000000FC01}7120gstatic.gitbook.com0104.18.9.111;104.18.8.111;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001043755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.221{5EBD8912-7B3A-6151-3A78-00000000FC01}7120unpkg.com0104.16.125.175;104.16.122.175;104.16.126.175;104.16.123.175;104.16.124.175;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001043754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.220{5EBD8912-7B3A-6151-3A78-00000000FC01}7120unpkg.com0::ffff:104.16.125.175;::ffff:104.16.122.175;::ffff:104.16.126.175;::ffff:104.16.123.175;::ffff:104.16.124.175;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001043753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:22.537{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92B3710C04981A808F6F8ADDDAFE01B1,SHA256=4EBF5F12CCBE9942EDDDEF231A0051531AC5958419F75A6F29D30CD20F121DBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:22.536{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AEC3596519EE22B2E40914081A79A1B,SHA256=FA53053E86E7A0B4434B21EC528556BC6C0E6078BC14247CD5F43DE22575A161,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:20.912{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58029- 354300x80000000000000001043750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:20.912{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51589- 354300x80000000000000001043749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:20.910{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50824- 10341000x80000000000000001043748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:22.345{5EBD8912-7F30-614D-1100-00000000FC01}4041624C:\Windows\system32\svchost.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001043747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:22.293{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io^userContextId=5\idb\3547115956fbiDreegbaarsoetLSolc.sqlite-walMD5=036D9B3009BE435C61FDDC8F20624558,SHA256=EA17A2D43C5EF511E12521090DC8029FBA46FF3DD27B87DD041858D6CA2BA199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:22.285{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io^userContextId=5\idb\3547115956fbiDreegbaarsoetLSolc.sqlite-shmMD5=8BAB5F8B3462E7BFADA26DAD562CABC5,SHA256=3D2B7F0963FBA1B91541C8822C302E20DEEB965EC65FB21228E37CF5FCD20776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:22.261{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io^userContextId=5\idb\3547115956fbiDreegbaarsoetLSolc.sqlite-journalMD5=DD8556A1B03CA3796C7C7BECC9997C22,SHA256=9483A6BD4F9A5EA592FBC0C3824EDF0B51395E3B160DF7908D307F1014623DF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:22.253{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io^userContextId=5\idb\3547115956fbiDreegbaarsoetLSolc.sqlite-journalMD5=4697612C12331C346F8C85227FC68705,SHA256=774097EBE84B07D0D241372ACB85C9947D67A6D808D6A71CD4A91625AEA2E1B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:23.946{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4282MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:20.689{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-49462-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:23.850{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B57DCD4ED5B94375F7BAF72D33A67475,SHA256=4E08F617D696D9881EB86CDEA3C420FD96EC7E2F76DDDB427F5A84CAC1528BA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:22.412{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59064- 354300x80000000000000001043770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.898{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49490- 354300x80000000000000001043769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.898{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57598- 354300x80000000000000001043768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.893{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49233- 354300x80000000000000001043767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:21.526{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58312- 22542200x80000000000000001043766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:22.212{5EBD8912-7B3A-6151-3A78-00000000FC01}7120app.gitbook.com02606:4700::6812:86f;2606:4700::6812:96f;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000972894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:23.631{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=939DACF712EC1278013EB8C41A026037,SHA256=10032EB66612BF84F22C6BA2BC5060C0FE81AF57EE5D786E3CBED3B100A53B40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:24.959{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4283MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:22.271{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de52005-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000972898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:24.864{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC5B60006242B48A0865299B41E837B,SHA256=610BE5FDF425F0C7C70233B7D4F4450BD50CF11979004BDF5A2086E0FEB36D44,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001043773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:22.723{5EBD8912-7B3A-6151-3A78-00000000FC01}7120www-google-analytics.l.google.com0172.217.23.110;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001043772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:24.007{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924DDEA43E4C283D9F9D32442E5CFF08,SHA256=DE97A36345CB285EBBDD0B454A1DDA72035A487B8F94FE3C8C1DBC24225D69B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:25.881{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E63466422195D1A7BD7B2F8B2912B6C,SHA256=1B1B29CF4014848233F10AB1C782140064781E9358AE6805472A5AAC731EFF5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:25.097{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=516FBEFE0884309EF165F7AB3688F9E3,SHA256=C5C5FEF30030FE30FFA1725D8E73B173C79BD36CAE4340034688B36637CA3769,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:22.562{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-429.attackrange.local64465-false172.217.23.110mil04s23-in-f14.1e100.net443https 23542300x80000000000000001043791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:25.217{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io^userContextId=5\ls\usageMD5=8C76267DEB754BBB1F7A9A798D626A9A,SHA256=7853ACB32A99B8240BE46B33DAE3D1E92C61CB16693E1FB42400F779401B5113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:25.216{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io^userContextId=5\ls\data.sqliteMD5=4A0CEAEACB261B45E7978DE369173326,SHA256=7A2F25E239A3330A641A2FB8957E28C8245B94F8012849110A064DBE77624710,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:25.215{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io^userContextId=5\idb\3547115956fbiDreegbaarsoetLSolc.sqliteMD5=65C8B9E0465BD49EB8055B37AE031745,SHA256=5738E9D40BA140068B5B6749B914A1C0497F41167E5F12333304C9DB4FF7D7DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:25.213{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io^userContextId=5\.metadata-v2MD5=6E0B6404753FA213C9117338BDC55743,SHA256=1FAF35A936480F44944374B08DA198C693E3F73191653CBD77897452B0466E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:25.212{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-walMD5=3A00A9D9383C169AA041F273ACF39E42,SHA256=61E3A3EB9164E8C7D08AB86C942DFE7FFB3A46F0876A9C59F4E4C0721F264D98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:25.208{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-shmMD5=7CBE7FD5D5783D724CFC8E35419A64F4,SHA256=79521492C97740AE1E84949E813C53C1A2E110F5859904E76960AA810FA8A753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:25.196{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-walMD5=AA3BE611091FA5BBC1E40AD563DEF05D,SHA256=239756DDE1224EE0C8CD56E844725921FF565405501C361E352E462DB3E05843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:25.194{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-shmMD5=7E2B2271BAD92C1AD1A0CD1A9A3DC69C,SHA256=F72CFA049BF07251CA9689F2A332901864C5F16A5647968550E8CD0228A14A20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:25.189{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io^userContextId=5\ls\data.sqlite-journalMD5=0D0083482E5B9BE0631800C1D656AC9E,SHA256=83910C1E9624CE7E9C4CB70DD42CAF880C7CAA98521C0D662CAE87783D01A314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:25.163{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io^userContextId=5\ls\data.sqlite-journalMD5=9C8A4F3470DABF1375F603E738942CA9,SHA256=2580D169AC339B4F4FFEC1EAFE3353B0FB760A8E657AB72873B699F5B50257BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:25.153{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io^userContextId=5\ls\data.sqlite-journalMD5=2CEC0C143E73D29972ABA91C5D77BA52,SHA256=51957FEF09D7A477C93E4DD9626C58192BFEB12851EBCF4566BE42793E1A3510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:25.152{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\protections.sqlite-journalMD5=96688742F316195493921F7AC6067824,SHA256=88456698AB8D182BB5A2211A67DCEF8E4C7FEB1B74889610345599671A80B1FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:25.139{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io^userContextId=5\ls\data.sqlite-journalMD5=0E433192AF73139FEDD457B8A09EAD46,SHA256=518FD21E7C1C60F32DD4ADBF00E05F3F169A50F82D8B14ADF4A4D661C88B5E3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:25.135{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io^userContextId=5\idb\3547115956fbiDreegbaarsoetLSolc.sqlite-walMD5=5C1F1B0E3171A0AB0F0B4110B152ECED,SHA256=0BC0BC477699FB553BAA248F401A1692AD9F5AFB01D2AED31337CEFF1D668EDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:25.130{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io^userContextId=5\idb\3547115956fbiDreegbaarsoetLSolc.sqlite-shmMD5=1B0C3F5C500BC1B025A50429CB7D3E8B,SHA256=D34E629641AFF1AE106EFFA85F5A077915E7FC99FD86066D58219DC1042881C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:25.127{5EBD8912-7B3A-6151-3A78-00000000FC01}71206188C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3E-6151-3D78-00000000FC01}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+2461028|C:\Program Files\Mozilla Firefox\xul.dll+231e7d1|C:\Program Files\Mozilla Firefox\xul.dll+231a7aa|C:\Program Files\Mozilla Firefox\xul.dll+316c196|C:\Program Files\Mozilla Firefox\xul.dll+a80850|C:\Program Files\Mozilla Firefox\xul.dll+ce8b1|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+173c649|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26cc2|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:25.083{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001043774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:25.057{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94FA9E105D2216C07837E9DBBAE7A514,SHA256=796BB41198F14A5D6E93AEFCED47D3CD4D3805DABC14BF657D65344ECB342119,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:22.918{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65374-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001043793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:26.074{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=841AD934BA1834EB80B27E6329DCD42F,SHA256=34B930382E506CB9563271F9F658B80F49500B9CA5FA76A40C546D8CE7FE1FE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:26.881{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-84A6-6151-0B79-00000000FD01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:26.881{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:26.881{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:26.865{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:26.865{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:26.865{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:26.865{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:26.865{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:26.865{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:26.865{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:26.865{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-84A6-6151-0B79-00000000FD01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:26.865{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-84A6-6151-0B79-00000000FD01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:26.866{69CF5F33-84A6-6151-0B79-00000000FD01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000972916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:26.475{69CF5F33-84A6-6151-0A79-00000000FD01}33403684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:26.193{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-84A6-6151-0A79-00000000FD01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:26.193{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:26.193{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:26.193{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:26.193{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:26.193{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:26.193{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:26.193{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:26.193{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:26.193{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:26.193{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-84A6-6151-0A79-00000000FD01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:26.193{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-84A6-6151-0A79-00000000FD01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:26.179{69CF5F33-84A6-6151-0A79-00000000FD01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001043796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:24.715{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57609- 23542300x80000000000000001043795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:27.305{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=992B480FE01DCC5068810118CEC7C4D6,SHA256=6B2694D2A355ACF313E5F1F1937F9E886956B65977FACA3E7ECFC26925B3D518,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:27.396{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-84A7-6151-0C79-00000000FD01}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:27.396{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:27.396{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:27.396{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:27.396{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:27.396{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:27.396{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:27.396{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:27.396{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:27.396{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:27.396{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-84A7-6151-0C79-00000000FD01}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:27.396{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-84A7-6151-0C79-00000000FD01}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:27.384{69CF5F33-84A7-6151-0C79-00000000FD01}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000972932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:27.381{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB3998B526A797C7404E3512B09194A,SHA256=4815231ECE92A61DD44CD2948E38A76BDE5899FD2AF6D56B6D6D4CDA308113BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:27.381{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEE9DC093565942471FBDEF1CA74690B,SHA256=10FD55858D2DA25E896777865DF7FF64A7F41D4B7F27ED3820079F5FD50B8B27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:27.053{69CF5F33-84A6-6151-0B79-00000000FD01}34404044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001043797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:28.539{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162C3BAEDB78A9CB380EF42C26B1953A,SHA256=70489CD086DAAD4C3FC33431CD991C2A5EFBFC744B255D61E1FD12DDC0B80911,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:28.771{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-84A8-6151-0E79-00000000FD01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:28.771{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:28.771{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:28.771{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:28.771{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:28.771{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:28.771{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:28.771{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:28.771{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:28.771{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:28.771{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-84A8-6151-0E79-00000000FD01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:28.771{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-84A8-6151-0E79-00000000FD01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:28.757{69CF5F33-84A8-6151-0E79-00000000FD01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000972962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:28.521{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D1D0D11BA987F56D0DAEC643C18FFC,SHA256=8AF309256F08B94A5D8AF6840ED7F0909833433FA716A696AC7065273C69C09C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:28.521{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CB43BC054B54DE3DBD7EC67D6B19318,SHA256=46719E24CE79C24F8B57558F4B4D2FD6D48B790E08AA0C1DC23EC1BEC5A2B059,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:28.256{69CF5F33-84A8-6151-0D79-00000000FD01}22523164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:28.084{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-84A8-6151-0D79-00000000FD01}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:28.084{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:28.084{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:28.084{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:28.084{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:28.084{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:28.084{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:28.084{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:28.084{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:28.084{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:28.084{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-84A8-6151-0D79-00000000FD01}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:28.068{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-84A8-6151-0D79-00000000FD01}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:28.069{69CF5F33-84A8-6151-0D79-00000000FD01}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000972946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:24.841{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59072-false10.0.1.12-8000- 23542300x80000000000000001043798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:29.759{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6BC5F60965C6BEE9C1D6F0CB0DB8DD,SHA256=8EE4A7A9FE9D1F7DF4C0D7178CB8FBC64C7C9D98B39D34350FDE826E8E885DA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:29.897{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99B9D12480DEE4B77A3F732D8D007C56,SHA256=16A9E035488983E6DBBF9ABECB543BE1AC168CC39840B5020735AEC171F634B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:29.740{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E44EF4EE37CD838BA601B0C51A047361,SHA256=8E930288B9B5BCA3D5DA5A766CDB6D864D0C0B2BDEE60B4EB55CE9248D2BA8E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000972989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:29.615{69CF5F33-84A9-6151-0F79-00000000FD01}1042472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:29.459{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-84A9-6151-0F79-00000000FD01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:29.459{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:29.459{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:29.459{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:29.459{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:29.459{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:29.459{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:29.459{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:29.459{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:29.459{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:29.459{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-84A9-6151-0F79-00000000FD01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000972977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:29.459{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-84A9-6151-0F79-00000000FD01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000972976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:29.444{69CF5F33-84A9-6151-0F79-00000000FD01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000972992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:30.615{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56C003455784FD6928AFC61DACB32F45,SHA256=3C6811FA62FF446DC986C293A499B2C9D5431CBE4EDECAE4A1CEC8CD0AD749E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:30.792{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8E88E8B6754C2936406880A1217DDBA,SHA256=7F34D4CEE74F46E69733D43C6A4B7569519B84985CF779A1E3A2A178647A3B90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:31.850{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CECF0260B3BF4D06AF2C21E3C2210C84,SHA256=13DFEC00A4FE38B813A3D236EC23BD02DA6B6F7D62791CF040515429E9831BCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:31.813{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AC81C56D700F429ED8444D7584DF563,SHA256=27C1E7295CB142C00FA0144F040E8A086050780BA2843D0019B639DB19052B94,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:28.887{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65375-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001043802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:31.144{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:31.143{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:31.143{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001043807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:32.852{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83B6382066424D49C94CA2D8D2D46327,SHA256=025971EF5100E72077963E1B27D52487E66B90714BC24AA81CCDDE1F38434FC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:32.865{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0E38E97D50BDC35ADFF423CEE3E5AF3,SHA256=67DAD96B1B90E66E29C216C139BC1D1C7190396C7868A5AD56804B3609E318D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:32.334{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B7FD05137121060E741C28B78CB15FFD,SHA256=89B3C49860DC2D3F49FB328BE80EB4363DD5C9EB854ABF44A2B4113925AD12AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:32.481{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:32.479{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=1FDFBEF8D1B953AC7DB2A4EE6B4DDABE,SHA256=3AB96E17CBA64EAD4D4FF580F2E4035273904AE963E5FCD62A3ABC00D2340735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:33.898{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08E0E7E890FBEA86A3C4991D9C91A253,SHA256=5A8D7A7891F2AB0DFFC3CE328CC51A78F826CC8221904BA731DDC1405C45D63D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000972997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:33.928{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13AB6417C141B2306B011977601CD6C3,SHA256=9F72C8A8E7EB11F03D55F795EE0CDC697470CE0386A271BAB7BDE69164E258F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:31.511{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62162-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:33.252{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88AB6B07CEC140637A1CBE40ECE7CAB6,SHA256=A2D69AA14303DFF27C4D5F1C53D1CB5B0A17712A14AD4DA6B48007E5F5E3853D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:33.251{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92B3710C04981A808F6F8ADDDAFE01B1,SHA256=4EBF5F12CCBE9942EDDDEF231A0051531AC5958419F75A6F29D30CD20F121DBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:30.679{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59073-false10.0.1.12-8000- 23542300x8000000000000000972999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:34.959{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=135807CE5FFE1415820DD25720F052F5,SHA256=F3B5D2F74BCAE2AF47A34829C339025D51A612A97F74703D00EDBE2F56E54451,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:32.384{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62768-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:34.353{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88AB6B07CEC140637A1CBE40ECE7CAB6,SHA256=A2D69AA14303DFF27C4D5F1C53D1CB5B0A17712A14AD4DA6B48007E5F5E3853D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000972998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:31.458{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62854-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:35.975{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E75650B2AF263C347633998702DFD60A,SHA256=B1F03C4D9F0568E4BF8E9EA90116510C726C553C6CAB27708D9BB5355F89378B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:35.063{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C5073AF504829F3354CB276C0AE6DFF,SHA256=18242FC78814C188FEFD1E6563BEBA4C6C9F590333378A3F699CCA6B02BAAE51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:35.350{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F7CF38C0AF35566A3F21B3E498B2FF0,SHA256=6E0E8DF41C74A292323FF7B2C18612103F2DCCE20660D878998FF5E99221A154,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:35.350{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F961488E9029EC49DC2DBEA0CC62224,SHA256=10844BA154623EC3CFD1FCD8BA153EC9B4985F6BB0C0F425E86011D27EBDF397,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:36.990{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32D2BA39C056AD44406ECD420377392C,SHA256=D6D79E3A68FECCD257CD2C1FF044BE786308D714801B0F15A5A480BDBAE91E14,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:34.698{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65376-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001043819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:34.569{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62225-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001043818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:34.039{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-59074-false10.0.1.14win-dc-429.attackrange.local49672- 23542300x80000000000000001043817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:36.209{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA3973A5F194F08CA9DA92BA0AAB39D2,SHA256=2E64C0581B6F355514127FADCED4C04098DCBB4708A1C022CBFA4B9DA8568CAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:36.209{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=011CDDB60C279BB308871EC75A33CD1A,SHA256=9D302D255DDBDE84B1844A1020E5A5692FA00F2434296FDF7439A93924ACB354,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:32.981{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59074-false10.0.1.14-49672- 23542300x80000000000000001043815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:36.027{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:35.703{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65377-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001043822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:37.351{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3CD18AEFDD795B6738C42214F3805FF,SHA256=3EF25F6B20562575FE7AC13C3E7DFFB5FE53EEDC9107A8DEDEC6121F699AC781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:37.117{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=991868A5736C64285DF41419ABE8DCAA,SHA256=857599581DF17462AC65C9917ECDDDE6DAC6B0DD96051E7929ACA5BF46497177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:38.359{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43EA7162CA28AE7AF4EA7D34C173C98D,SHA256=430C24DB0F918BF4A7207E2820091726025ED5824579CD62BBB31B4D45E6BD51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000973018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:38.287{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-84B2-6151-1079-00000000FD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:38.287{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:38.287{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:38.287{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:38.287{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:38.287{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:38.287{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:38.287{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:38.287{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:38.287{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:38.287{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-84B2-6151-1079-00000000FD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:38.287{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-84B2-6151-1079-00000000FD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:38.272{69CF5F33-84B2-6151-1079-00000000FD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:38.006{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A011E83CE46714E797C8DA4FEE69971,SHA256=8E3D730C15A44E96438AEBB66106FC7E61C4F64FF7F96026B4CDB3759317AC76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:39.575{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A502D9E06B4E2A77C527C3C469A94AF5,SHA256=28D99DE7D7B3404AF6FE099D3CC47B7CECE2792BD7AA373A8CD6674C8AEA17A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:35.850{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59075-false10.0.1.12-8000- 23542300x8000000000000000973020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:39.506{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F7CF38C0AF35566A3F21B3E498B2FF0,SHA256=6E0E8DF41C74A292323FF7B2C18612103F2DCCE20660D878998FF5E99221A154,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:39.006{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=684A06D25315DFC24F2FFA95FA13D5BA,SHA256=C2AFF95309251BA1F89AD74DD85213305DA7B824DFDC305FE6C1B3B37E1C39B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:39.031{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=08C5ADAD9581A06A8AFB9F2E9FE2722F,SHA256=3DC8999DE7364E9CD0CA5D12E17CF0F945227BF968D1253605B5DDD11B2E1D09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:40.604{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28BEC276534FFD46F545BE69201570BA,SHA256=EB4AD66A9B980C9C0D4084B716DC55864DDBB4F23AA7358BC905CC60224EEC8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:40.022{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE9BC37D8A9EDDAF18AE3B82E911C800,SHA256=21635DB24163FCF4D638E13A0771E54FBBC21659CC052573B7DE2FB3BCD666AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:41.610{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45AFD7889805C14A01F0B75D0FF686D6,SHA256=B324A703C2994EBB58F62CD38244578D8320496FDB4CB93F033E96887469CA1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:39.082{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51246-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:41.834{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4517DB7534D7C88A2C22AD5DFA19B81B,SHA256=5801A37AED86C3E123A24167D920F422BE6234356E16B839479081CFC11429A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:41.022{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB77A9A3D2510EB23D27A7634F17DE21,SHA256=654CE79B238D77AF04DCCAF23840235F176810469A29D08A5FFA8CAAB66DB704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:42.825{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=223150EA2E2F6CFB9FF9AEB1B459DBDE,SHA256=92598CFA1C581193FD5971690AEF5A375982B0153693A98B79B837D7706AA72A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:42.031{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AB60AED4DD43748CB0234135FCE88A4,SHA256=73601465FF0A598B3625C98688D395BE1317C55658B922B8777ADB48E5E86ADC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:39.705{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65378-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001043831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:43.862{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A3A02DF204BB28831C6B1E3DD9F450A,SHA256=7EC45D1AB4309141F6A818A99C29F5AE408E32975619F03BB3C3B8E36DD39E27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:43.672{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA79D6E0536659DF655EBE11BDC0D8F9,SHA256=E86B1756DC387D566EB7651003360BB4743790A97846C538FAF8CE77B871B86F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:39.961{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51803-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:43.047{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D7208166C306D31325AB4317F28DA8,SHA256=6CEC623AD4FA06CAA86257ABA4111747310C8490E95ED3CA48F28249D7A7B8B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:44.988{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-84B8-6151-6879-00000000FC01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:44.986{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:44.986{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:44.985{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:44.985{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:44.985{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-84B8-6151-6879-00000000FC01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001043837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:44.985{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-84B8-6151-6879-00000000FC01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001043836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:44.962{5EBD8912-84B8-6151-6879-00000000FC01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001043835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:44.875{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA94A35BC2587571D3B70182844465AB,SHA256=030DC74C713476946A7BFB78A041671C85C456A5CFD44DD921C6A0E4FD922757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:44.062{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AC055677E0C404A84D820D2305732C0,SHA256=1D5A557824E8F3D52F75669CC34DBF0E2486185A83B06C0C36377BD7F6CBA4E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:42.990{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53119-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:44.752{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=170F8ECFEFB0B0FB686850006BDDE7EB,SHA256=C2F24EA33DD6FC3E9CE00A0D8BB71AA36162523CEA06DD547EC8179E093143EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:44.751{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=925FE2F55BC2E27CC61CF443F3537363,SHA256=C8D24DAD19E7A6A6E23867EEC50F965AB09CDCF650CD1E4DF5BCC71D5DEC558C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:45.975{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=170F8ECFEFB0B0FB686850006BDDE7EB,SHA256=C2F24EA33DD6FC3E9CE00A0D8BB71AA36162523CEA06DD547EC8179E093143EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:45.957{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1615FB1D1B2B446F5C6123D812E75DB,SHA256=8B7475A3CD5D5D55C9957C85D154B11E25DC4B3F0DCB23C615C12748562D1F11,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:41.797{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59076-false10.0.1.12-8000- 354300x8000000000000000973032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:41.001{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-52093-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:45.078{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67B06B6222B07F7B5C6F312C5038629C,SHA256=88C10EF88A647DAC1AD7F95E45FF3E77B11F961FF64D440018157FDAC1E75FD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:45.713{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-84B9-6151-6979-00000000FC01}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:45.707{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:45.707{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-84B9-6151-6979-00000000FC01}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001043848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:45.707{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:45.707{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:45.706{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:45.706{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-84B9-6151-6979-00000000FC01}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001043844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:45.661{5EBD8912-84B9-6151-6979-00000000FC01}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001043864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:46.968{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D22998380BD97886A269F2150666DA94,SHA256=769EB27EFD1E3A3445C53193089520239AF9EE8086D31909965BB792E11E9110,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:44.925{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65379-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001043862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:46.682{5EBD8912-84BA-6151-6A79-00000000FC01}19282036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:46.457{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-84BA-6151-6A79-00000000FC01}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:46.456{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:46.456{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:46.455{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:46.455{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:46.455{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-84BA-6151-6A79-00000000FC01}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001043855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:46.454{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-84BA-6151-6A79-00000000FC01}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001043854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:46.435{5EBD8912-84BA-6151-6A79-00000000FC01}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:46.078{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD2A224E0B26279D6050393B6F0736B,SHA256=508D869BD18BB9A60D1AC315AD4E0AE58ECED1E9AF6D57853595873D1CE58464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:47.447{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DCB4704B6F8C92DC14A6EAE9BB010E8,SHA256=1817544CEF2EBCFD9E4D13D82CD7ACE11BE7E741D067B629F86118EA98EC65FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:47.094{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A58DF5F87E626D99EB761F67C99CDEB6,SHA256=7C393030500D1DBC6246BF62FBAB24A92161CBEB3A2FFF5961E1330029EFD280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:48.199{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BECA5D8092BC7905A994C61FB73C5066,SHA256=1A4B35AD368764C1D7EF16831B113126E36743F6496AAD98288E58F01779AEC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:48.109{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51C93FAAAD7150DB9AAC7104889754F1,SHA256=C9D34617E7A4F2D90EA1FFE9611FD2EDCBE91F0847A4F2ECC1E97D40C41EC3F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:49.206{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D2825BC7963E8104F880BFDF0B1F845,SHA256=7273ACB646C9FDFA872864C084E27D363DC812983370E6DFFD6E1C8C1A75597D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:49.125{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E28AC5EAF320C0FCD9A2334ABF34B3B,SHA256=81F176A42965B9BEB5C36FFC62040B7133918756BEF2BBD0650594059C11904F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:50.140{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B3BB05B2F3FC835BF03E4702A69EDE,SHA256=A414E31FF6E67FF1CA49EBAE14AAF196613B286955D2FA634CB8D80FD9E74F8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:50.219{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAAC2D12CDDF94C7F9BBDADC75E44011,SHA256=5A258C68D8D2DF88350A3FACDCB148F10562EB0E0867F3161F44F691EA588480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:51.156{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A3755B237D998618C7E0FAE7648A2DB,SHA256=CC70F7E4EA0AD2A5714E77B24A624A517BD3F64AD6F1B9BDF8E7C6B2B0F98F97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:51.228{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E3745AEEB6916546EFF079E7961248D,SHA256=4DB350D6CAB18FFFA61B2B6BDF95EF3A5E6F8D334FA2DFE2C5BD241523099D09,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:47.813{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59077-false10.0.1.12-8000- 10341000x80000000000000001043870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:51.008{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:51.007{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000973041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:52.156{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0342FA27FAAE8CD08CB21B83C8D13071,SHA256=1EBCA0EE028233CFB40C6D314A1385AEF5A96C4EF5A993BFA490BD6A0D1D53A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:52.857{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:52.857{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001043874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:50.900{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65380-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001043873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:52.368{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4282MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:52.250{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B61D444929C01AF9FF13767BC4AD44C,SHA256=C7C77072F4FA40E224827C335F9F36974588608AC0557127187D8B462C912E9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:53.672{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C54DBBF0C56DB0B5F93823C7047693C,SHA256=02CA060D06C5947F9539D2358D73125656A0685D498B04B74EE7444A54C3F85A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:53.672{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A8BC11FC3215E1264A699A681644E7F,SHA256=4B800719161B9B5D62088E2E5B1EE28F4488B11EE5D0B6DF4A2E3551A2235B74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:53.172{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70AB479D4930754E0278AE0187E18FD6,SHA256=58002C5F9B7B152CD1F97BCA58522FC6A4DD9F1D5BB9EFB01759BA177A8134D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:52.203{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60884-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001043882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:51.903{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58620-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001043881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:51.630{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60508-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:53.372{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4283MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:53.269{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C613C74182FBF674624511AB903DA22E,SHA256=51A8DE90C4041C5BC422F711C15813A37A7DA3BE44A567B316A9205FD85EEACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:53.269{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76569F848B013B94C823B46786BDE7CC,SHA256=3175EDEF287A374BF2DA86F76B65BCE0A62EC6AA203BF564294F5D6F90F3CAB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:53.254{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EB1D1369F5387A627F5080F61EF9C43,SHA256=923B6E41331BEBEF9D9FD449115B503549588EDE9307A04E8767DA1F34614E92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:54.802{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-84C2-6151-6C79-00000000FC01}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:54.802{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:54.802{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:54.802{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-84C2-6151-6C79-00000000FC01}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001043897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:54.802{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:54.802{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:54.802{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-84C2-6151-6C79-00000000FC01}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001043894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:54.788{5EBD8912-84C2-6151-6C79-00000000FC01}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001043893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:54.403{5EBD8912-84C2-6151-6B79-00000000FC01}67324716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001043892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:54.256{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E94DD0CB660988230B3EC555142C452,SHA256=70FDA88BA5965CB93B93451480F94B23D72069418085AF214173707780A5B9E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:54.172{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02571226C94F17511AEFF23E5053B503,SHA256=2CCFE20698DCFE78467F59C3FFEC4F7C7690FE3BFD045457215BA535DA22187E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:50.931{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58686-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001043891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:54.118{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-84C2-6151-6B79-00000000FC01}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:54.118{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:54.118{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:54.118{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:54.118{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:54.118{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-84C2-6151-6B79-00000000FC01}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001043885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:54.118{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-84C2-6151-6B79-00000000FC01}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001043884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:54.103{5EBD8912-84C2-6151-6B79-00000000FC01}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:55.172{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D1072D93DDCB85BF44D706DB83A7E0,SHA256=ECA1022AC8CCCC72679DC436831FA3CB45C41CB63FE534434902FEEEE7D111AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:55.867{5EBD8912-84C3-6151-6D79-00000000FC01}45683964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:55.687{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-84C3-6151-6D79-00000000FC01}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:55.671{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:55.671{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:55.671{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:55.671{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:55.671{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-84C3-6151-6D79-00000000FC01}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001043906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:55.671{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-84C3-6151-6D79-00000000FC01}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001043905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:55.666{5EBD8912-84C3-6151-6D79-00000000FC01}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001043904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:55.271{5EBD8912-84C2-6151-6C79-00000000FC01}44284632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001043903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:55.264{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BFC88F1B9D69AD4B2946F7192D16965,SHA256=BF9011C73D64B6C67518963A4A63A670A8007A9A5D17EED4DC3715A566BDE90A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:55.112{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C613C74182FBF674624511AB903DA22E,SHA256=51A8DE90C4041C5BC422F711C15813A37A7DA3BE44A567B316A9205FD85EEACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:56.578{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C54DBBF0C56DB0B5F93823C7047693C,SHA256=02CA060D06C5947F9539D2358D73125656A0685D498B04B74EE7444A54C3F85A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:53.458{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de62450-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:56.187{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12080517249F3CB5B3F6298F931665B3,SHA256=EF9DB67B6CCD977E03711C0DEEA48685452F8833863F5BDFDF297F7B0E139088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:56.674{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DD95EFCF4109C065E2F59D8727263E6,SHA256=96A4EE8B3D7A554C1978D7118395BDC86E200EF2172620BAFE5A1EACFCEC0BBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:56.303{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-84C4-6151-6E79-00000000FC01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:56.303{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:56.303{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:56.303{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:56.303{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:56.303{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-84C4-6151-6E79-00000000FC01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001043916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:56.303{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-84C4-6151-6E79-00000000FC01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001043915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:56.289{5EBD8912-84C4-6151-6E79-00000000FC01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001043914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:56.272{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59FEF6E8F9FC72D67C7522E4FDB31740,SHA256=DE1BDD0E8C5DF795E3E1CF83796739ED66932DB4FA65C2AC145155F6FA884AC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:57.422{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A8FA29AB6F6F4A495CC8F6AD141B547,SHA256=743FFEB7DB6F91BB5587C0D9A6822D5B94763B57D7903195A6514F5E7D9B2AF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:57.292{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A67A493644C67F4B7ACC6E369B3339EF,SHA256=DDAEC4042C4601ED02E28C8B7A71BCE8B14D9460F19B953DE49A47C58618E5A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:53.750{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59078-false10.0.1.12-8000- 23542300x8000000000000000973053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:58.484{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1594B6C9C8277B6D2F6B27D5D3D0DAD9,SHA256=46A0EAECB6BE08FB12326343DAEF242FE803304919AA5312BEF263D5E0AD8B51,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:56.830{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65381-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001043925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:58.293{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309BB7D03BA10805922D5EFE4BE08B68,SHA256=07A5FACAF1F31447DCB8965A825C2D0796A503B9B8DE51940ED453AA9CD80945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:59.718{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0382EECC4AE90BB67D35D31E55959B80,SHA256=7231F8D436B51295C8CC099E9CC54A942B56FFAA0F5705465A23590BA30D7738,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001043930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:45:59.840{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x80000000000000001043929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:45:59.824{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Config SourceDWORD (0x00000001) 13241300x80000000000000001043928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:45:59.824{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_C073BBA9-345E-4F58-AADF-98D983B75502.XML 23542300x80000000000000001043927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:59.294{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55CEDD5A8AB84A745E7E9075FEA14D02,SHA256=D0A2739E92FB4E30D63C14CDC8378E1557C43B6380AE352EC6111FF7EB03DBBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:00.812{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B89C162633C804BCF74B1EE1041BC57C,SHA256=6B32814631DDBF7AE4279D7B1CDC2B3E08F0680743FB0DDE842350208CED9BE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:00.855{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F6138C020A3866B2DFCB1A599951873,SHA256=C138D5C97DBF40C2F4233F102C495079FD5F9C052D42AA49FE863198822D382E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:00.324{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EE310F367049620122AE35704136221,SHA256=083978C98BEABD4ABCD39ED1AFF0B0B7F657D5FF76F605BB186B81145AF07C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:00.656{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2F23AA2589ED56EECE9806879D51A8F,SHA256=7494168F96EDC117EC713553936AD1545951AC47868933E70F6F9129B9F00484,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:59.535{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65383-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001043936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:59.535{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65383-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001043935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:59.518{5EBD8912-7F30-614D-0D00-00000000FC01}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65382-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001043934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:59.518{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65382-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 23542300x80000000000000001043933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:01.325{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB41CCE58A6566EC7E98A33A52ACCEB9,SHA256=4DF349F10A5CC0D13E54574BBD77FB4387007149D734E5D326DB625CA7ADAD3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:58.608{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50318-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000973057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:57.932{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49586-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001043964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:59.542{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65384-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001043963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:45:59.542{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65384-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 10341000x80000000000000001043962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:02.722{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:02.716{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:02.710{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:02.702{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:02.697{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:02.687{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:02.552{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:02.552{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:02.537{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:02.532{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:02.527{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:02.522{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:02.512{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:02.507{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:02.492{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:02.480{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:02.465{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:02.460{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:02.460{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:02.429{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:02.429{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:02.429{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:02.429{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:02.429{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001043938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:02.413{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69E5E9D770F5D9E8027AF1D7C006260,SHA256=316BF9D586EE460E3791CECDE9933734608AE5E4AB15AF09082E19F2A4045768,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:02.395{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CCAD9F5333E20237B3BDF35E94A6BF5,SHA256=41326534D19BF9A8E3014BC8AA06F1A0F2E7B433442B4A6897ECF37AC7460FDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:59.442{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64049-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:02.035{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E23B422B5F222DB0385BA97FD943CC4D,SHA256=2291BD7737BB38D4864B39636F5FE68852B14A50510FD93D5ECDE6C71A0739F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:45:59.719{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59079-false10.0.1.12-8000- 23542300x8000000000000000973062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:03.129{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2095E5865F29D3BD8CF6B3314ABA8593,SHA256=DA55171810B91C496250541D5640E4EA752646FCD389B7E0F840EDF4D5E5A41A,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001043974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:02.455{5EBD8912-7B3A-6151-3A78-00000000FC01}7120www-google-analytics.l.google.com02a00:1450:4001:831::200e;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001043973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:03.864{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:03.859{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001043971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:02.139{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local56975- 10341000x80000000000000001043970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:03.648{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:03.633{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:03.628{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:03.618{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:03.613{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001043965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:03.443{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8856B4A5E70C75443D594F6F873728EE,SHA256=6E4ABE7DF84D25D572D8552621503BC38E6E4C6962EE0E58DEB7BC7039158F1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:02.729{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65385-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001043975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:04.493{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FE79219A2E9D6BC581C8C6A0B9B5CA5,SHA256=C02BE6A3BB6A508D0C30D7838E1A629261E21A7C2D57394865C9CB4FD27BF914,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:04.285{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C87AB10992D070044C40AE7783984E,SHA256=2F3E0296E2FDDE08B570461AFBC3B7FDF2791A76B35E368F3ECE6A32FAF89E4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:03.904{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49914-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:05.503{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A91A7FED0E34F30C7DA0CAC47A682ED,SHA256=4C94CB825BE34726B572C1636E413C60E72F026F56055680853A20D606D83087,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:05.301{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA8BF2C81D2B20D4EB82A251C5EFAD6F,SHA256=BD559BE3FFBE0BADB9D68FE76396A26BE3E138976BDBF6253D3AE3B4906FE18F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:06.317{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AA33EF0FA3DFE9E40BEA07E6827D10A,SHA256=11965934CE3D5B597446CF3931C996738447F60E35261DE92D7F0580D0429ABF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:06.509{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF8C35AD9590F352A1D34B133E9E303B,SHA256=F23D9E77B48E20BC7DC4D1E5DD26A8216347A9D4A1AA6B08CD2CE6D391334797,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001043987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:07.831{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001043986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:07.530{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=576E2361DE3AABE1DD663AB9C1C98E1A,SHA256=A0DC392410B2E3E60915813059DB3F72A1B0675C974D04C9FAF89CFD2EFFD6D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:07.317{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F428BE2349643E253939F6DCE05299E4,SHA256=60105C1CF33ED743186AB2666C18741A48569DA1052E7ED10CE3B4EC0D7D8AC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:04.801{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59080-false10.0.1.12-8000- 23542300x80000000000000001043985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:07.460{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-walMD5=928858E13402CF077BEA6F3C76926C63,SHA256=D473C3136E82A74E374CAB242944D330B5923FE5C2BA3F98FA6A439710449A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:07.460{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-shmMD5=FCAAF82EF3DBB379B49E97A5DB94193A,SHA256=3856D6B14034F6488995548293F55D0F72B1AE2B9C440A0E5CA9A9C5989FE983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:07.455{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io\ls\data.sqlite-journalMD5=79C7ACC5FACB28FE89565FBFE6BA6475,SHA256=C2B0B742F675A7B4A82DAC7F4FE89C8AF5F3592B7D63B7A663385B1B49D77430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:07.435{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io\ls\usageMD5=D13120FD3588383D179427E60E3CD802,SHA256=52D12AB0A3FEFB8128D589A9001C57430F3DD258A41F2F45D4A58801D7342F4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:07.100{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA1B379A8C3730003491CD15CD415B26,SHA256=D63CA3CF766E9B2908C0BBDB430DDD16B2D6A4FC759801FD88CA6518097D1E2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:07.100{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCDFBD928E681095246F2420E04D2159,SHA256=7AF684E60541D539B3FCBFB07C0D4FE7CD95D5B5F22F2637BCF04D2C8D5143F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:08.642{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84E72F836CD54F9E533CA4C0AF8CAE96,SHA256=50B977BDE0683249CA174574C2DF6F0FF533D855DC903F79E5C44DA499160C6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:08.332{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D67C8E23D34999647764605533E748F,SHA256=81CF989EDBF59E2B96CB3CC6AB4CCC19D961272CF277A6A3B87178C8072905CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:09.653{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA9A0254CA09FB0BF022901DA957990,SHA256=2FC082E8F24D2F00166CABB0B752E3C7FC2326DDA7C16455C67FF6FE4A9330EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:06.481{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com36349-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:09.348{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0F2193506978CA8DE212820BAE12CAD,SHA256=0D0F1DD1235CCADA081DA6C7AA5F7C15B9503C72961F30F83DCC0A1E27CB0167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:09.160{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=907AC93F43D88325C7E4D8588CF11A08,SHA256=48EDD1D13516549E6A6BDE0939321862A511925296422AD12D3CBA372503AA04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:09.160{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=165B997A7914B2DDD2E06DE11B3E7D27,SHA256=370B825B93ED55D1144A8632F75ED79DE644DF70DDCEC511E614C2B2928172F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:10.660{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DDB58FE69735F2D68153FBC76DD352E,SHA256=4E24844A2B958D0416D0DC1CF3C33303CBC3033BCF748AAE54ED744CC4578FFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:10.348{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D78290FE6A4B0C825846023BAE907C,SHA256=8B87A90C6175865A602737E777711C9D755A34ACFC0F12EDEF9B2FF52042AC71,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:07.783{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65386-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000973075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:11.363{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C5BDEDB469E6F72CA7D1BB307781936,SHA256=D7CCBE85010BA57B88B681D8EB4592A103D77400E51D90DD25AA81BD49BEE7D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:11.661{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3190C5FE719C5BFE199948B6C4313594,SHA256=75522789325883395DB72B87B5827216F9BB0EA5679A733159E57FFF68191EB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:11.336{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA1B379A8C3730003491CD15CD415B26,SHA256=D63CA3CF766E9B2908C0BBDB430DDD16B2D6A4FC759801FD88CA6518097D1E2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001043992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:09.121{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com39555-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001043995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:12.673{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A554095C4D366406A399A846B8A57B6,SHA256=5BC76C04CB733AE54097F7B46DAEE41761669EC784F5F7F7FE2AC13CCD52EE36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:12.379{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40EB4002CFC89D12CFA5DE451503A039,SHA256=916AF946EC5FB84B6421FA81B9B03B5D26B3D439474BABC0210B71E03C8D24AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:13.677{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA437515E9950E94A75432D86970901E,SHA256=CEB2B768AC4127BE6759A372F00A96C6C93EED559C1836BB15CD5AFF611E5D65,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:10.770{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59081-false10.0.1.12-8000- 23542300x8000000000000000973078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:13.395{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=056629F6E7F03F5DA440BD9373A8B503,SHA256=96F647560122F636B3FF08978BE28CD1E88E2ADAE03EA486CE4EAE1145C1D662,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:13.046{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=7A5AFEEC10E4F2A7EE89002272F533C4,SHA256=222D48FC070F34EA7F23799A21DFCA353D10852504F914AE02BE296CBB0264E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:13.046{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=77A3EAE2166FC18E5FB72BCEB20B0CBB,SHA256=46AC833028A678C708F86E832185F7C7F84E561276CB4A79DBCD21310C561F8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:13.046{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=93E71893D11693DB3B30022A2A67B275,SHA256=1BC37456A815E0EC501CB0579F74DA474C7EC2DFDD6C1AB56F13B013178F63BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:13.046{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=A5C47A377B10BE8F0889400F51F037E0,SHA256=7659E1F8294F5B7F4AE8D1E1E72C944E4ED4CFDD13D3C085024843D42E944FC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:13.041{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=4BD26EACBCF3B0FEB26830619C794446,SHA256=146BF6ACB09B0BD98C68B359981433ADAFD1C89AC600827DB47A5BB83B8DF86E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:13.041{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=BB0B958318CDD46464BBB51FAB9A1366,SHA256=23A45A4684A1C8D8418BBEC0F6867FB13DBD35C95624AF04255FFEC12D5DF9F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001043996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:13.041{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=BF3F4FFEE41D5013DFF775A2C55786C1,SHA256=FEC78878A05169D35355389D32A8F9AEF5A46C761D6A26EAA9F995F9141DB9A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:13.129{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:14.838{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B361765382A46A7FDCCF36515B24D297,SHA256=B6B30F67F5864812F59D1E096FB03B7AF03CB0210E707CA86F1D095A3109E46F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:11.755{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59082-false10.0.1.12-8089- 23542300x8000000000000000973080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:14.410{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA562E782E81C869CA7A18A4FC40CC48,SHA256=2C52F672B923EA73FAB356D20C6A1BB522C46991F1A062C32D6FC50E757516F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:15.426{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=258D757797B466DDE6CA397D262092EC,SHA256=2EFAAC2202C8A1373B929BA77B2606C480CE0056AF269AEABB020DCDC5C6F88C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:15.846{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13387D47F9EE8C8CD245BC0C50D24518,SHA256=5CC0D91280B70F4BFFFD9551C60452E9C711E155BAC0AF56DABB4F1788D5A993,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:15.604{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53BE584EE0C24661FA9C04FA5F0E7185,SHA256=8147033B55F0B9CDF744B4F3BD94FCFC182CF360394E4537BCD381D281A76C3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:12.828{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65387-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001044014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:16.852{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC1D535B181767222EA7D04C7098B0C,SHA256=A228B18B5EBCC622A122B144114E37E45FD5990FF273F1AE699033AAB509CB90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:16.442{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A1D1A49BAE34F2B72F509B2D544E3EC,SHA256=F1B287C40E4E8FCDA32286C74111BDE61F0270A573A78C2DD5D323B463B79EBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:16.487{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001044012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:16.487{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:16.487{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFfb6cf7a.TMPMD5=689B04263C4FF8CAEF519FA64C89166B,SHA256=74BA0CB65F957AEA5CB45AD79B7613EF0CCE8E507AA8FDF39816C388493CB49D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:16.482{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+be47e3|C:\Program Files\Mozilla Firefox\xul.dll+be39b5|C:\Program Files\Mozilla Firefox\xul.dll+be9f5b 23542300x80000000000000001044009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:16.477{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\aborted-session-pingMD5=2E27CF81979DAEA280AF5E62A525B5C0,SHA256=3B5D70F3F9490A364AC56FC341F60D0BD8D10DBC44535FEB03755814CCEA0118,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:13.963{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62400-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:17.873{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B3ABB67FFA47C4458263A8D4842A457,SHA256=B110908844146F72186E6399C676F4398CA9F3558E87C6B3D46DE46199FF15C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:17.942{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8D914390CA44856C25EA98538ED0C63,SHA256=202A13A34032254C128912D8E7703A64F22B32286197F93617B1E9AA9052532A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:17.942{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=907AC93F43D88325C7E4D8588CF11A08,SHA256=48EDD1D13516549E6A6BDE0939321862A511925296422AD12D3CBA372503AA04,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:14.294{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57013-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:17.457{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7A376B5FCAD37F36E834A7A0794F39A,SHA256=F0FC9DEFE068BB21235CDCDA1AE771E18094E76C36D2C53E478D2F146052B8E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:17.062{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F580081BB7AA5B90B81B47167A166E9,SHA256=04292DFA838AF9DF27A7969FA19CD9645F76D1A72B2F3357816F67AC6B0486CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:18.930{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=872D8B8D5FED0C51DF66EC13E27D502A,SHA256=12F8246F0BEFB9EC32A4575D5362990C56FE6041774AF011ABADCEC17707AFE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:15.864{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59083-false10.0.1.12-8000- 23542300x8000000000000000973088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:18.457{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCB82438E6F3462D1F8763DE09975346,SHA256=29D6A77F6509743945E0D1C2D71883D5EEECED845084D1C6820EDFD6E7099420,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:18.580{5EBD8912-7B3A-6151-3A78-00000000FC01}71204572C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:18.210{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AD0BA137C8BD3C389FC2E8366FBA08B,SHA256=2C8D9C4239241F84F103925409DD45A2D8AB96A401FD5B3B8537D779E3EF2C72,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:16.533{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57809-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001044019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:15.991{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57436-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001044018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:15.746{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65388-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001044017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:15.746{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65388-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x8000000000000000973090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:19.473{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6060F6D031DA444FDE7EA2E080C3BC51,SHA256=E3FAC21ED03F268304910FAC2B7271157EC6AF78F8E7DD744F6AE2E52EA2EC8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.516{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.516{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.516{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.516{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.516{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.516{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.516{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.516{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.516{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.516{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.516{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.515{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.515{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.515{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.515{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.515{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.515{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.515{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.515{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.515{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.515{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.515{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.515{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.515{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.515{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.515{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.515{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.515{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.515{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.515{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.514{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000973091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:20.473{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69D0A9F9A3A9B2E6CFD0B7300A823F14,SHA256=758A8424ED088D67F2C7FC8B1824C45EB4DA68CBA8131A674A8C4985A0D0478A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:20.297{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A29CAE7C79B69295C2F496ABDCD1FD26,SHA256=8BF3CC42789FF88FC034430257092C6D29DBB2D04C9CFB72C909647A42BAD1AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:17.865{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65389-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001044058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:17.851{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local49651- 354300x80000000000000001044057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:17.850{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local64543- 354300x80000000000000001044056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:17.850{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53846- 354300x80000000000000001044055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:17.849{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49983- 23542300x8000000000000000973092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:21.488{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=501DC0F313077FDED0C12FE9372874C9,SHA256=5795117CFB237A6CC8FAECCDCCD01F55E39DD789431D33E53C44851E63CB86DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:21.170{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E2173BA4B37620EA91E4BFCDAD6FBD,SHA256=3B91F4135D16509B669A3B20F6B9767E2AC6D873D22868963564B116DDCE4625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:22.490{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FCF3D9C53DA87270168B793CD363D18,SHA256=EF0DB6EC945CF8B9F8EA212BAB260F1158FD65376EBB9283714DA70CC36B03D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:19.878{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59837-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:22.381{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=374CA1B22C034426B53831574543C203,SHA256=3C503EB274758A78E50389FC15F391F49556F9DDF2F185A96C28AF91077D9F81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:22.196{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88FB4D1AB32E55298821C4A5BBD9997F,SHA256=0CE2A8078CAB066FAF2346F12A95651F11447E4B1997C7526FF4A439050193EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:23.506{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71AF80F03A695437EAA9CB85B1DDD952,SHA256=B68F9212F3BD457EF7444881CC0FCDD17C4BE22822E3A9B5412A3353329446FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:23.823{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=7E90E9241D00608BCF0831BBDDA7DAF7,SHA256=690049251DA2F3E3281F62BE964F727CEF96E4122232B84EE6F707516377FBF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:23.823{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=00845E4D8AA2BA0670AC6BC5EC81A317,SHA256=22520CAD43B28066FAEB7D5B834B98EB97BB7B258BBF3ED010DE5408A1FFFB91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:23.823{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=7405834E80BE291F3DA4CCDF0E0CC5A1,SHA256=B0EF5AD57CA628931C664DAD8133EF1F59BC49C4F5FF92AA1F90512BEAA6B329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:23.821{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=4EA21F57C53A02B0F1EEC0BBF59B2696,SHA256=AE936E9B4C87A6A47345BF348C73176A7339EFF8F7782E6C79F86297D2426FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:23.820{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=63B29733B17A6C874E88A9ECBCF1DCF9,SHA256=18C8182741176896E9495DA091D45E3A180C6E3F4ECCDB3C000DC49E1BFB8853,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:23.815{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=F31709A34AE73E3EA37F44A0EB7FC467,SHA256=7C70D76B4EB48ECC45FC5B85D9B9A6CD8EEEA37FF405546C379C64E4BFD3E4F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:23.813{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=CCDBAF3AED163233B73EEA3926974588,SHA256=BF2D58E374849A0BC4712EE32E31E9F83119F29E64809F3329CEDEDD2DC35775,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:23.222{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D797DCC232D482D6A9BF2ACA709855FF,SHA256=DA8BFD81C72612E92B66D6DB6450B3AF08E706CFB2E8FFF6E0969A3CC706EC37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:20.424{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-52417-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:23.162{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B22EF0320C1C2A3F678A71FED758E0B6,SHA256=B5DF47417E4603C8FFBDF7788AE52BDA1FA3CC1DBD77C068E1C52EDFB5A68B13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:23.162{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8D914390CA44856C25EA98538ED0C63,SHA256=202A13A34032254C128912D8E7703A64F22B32286197F93617B1E9AA9052532A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:24.521{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=237E59A92577A52CC496BF4038EB80AF,SHA256=0909E16F78FA0C2105B1D21F6BE7EDDCB92FFAF12E9212402ADDA6EA0260F207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:24.223{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF82555E061248DD21892B9C14DE3D7,SHA256=4822C5374135B21528F1C6E2E984F382A657FCC60DE51C3A3A04F6A2B0BA08C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:25.524{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C212FC3A8D13CB61C72FD8E93B76809A,SHA256=FF804AB8DC8A0C4FE7FE5A17F111BE3C36D955458E4FB830BC9DC57EBF42E359,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:23.855{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65390-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001044076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:25.276{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3B928851BE3A9532C86B9F38F39F1BC,SHA256=13164A93EDF24AA99D1938B1FC415F19206DFD42F0721E641EB7575920AAE8AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:25.501{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4283MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:21.819{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59084-false10.0.1.12-8000- 17141700x80000000000000001044075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 08:46:25.116{5EBD8912-7B3A-6151-3A78-00000000FC01}7120\chrome.7120.16.3621897C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001044074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:25.113{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-8375-6151-4379-00000000FC01}7048C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c727|C:\Program Files\Mozilla Firefox\xul.dll+8b9000|C:\Program Files\Mozilla Firefox\xul.dll+8ad3ed|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:26.892{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-84E2-6151-1279-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:26.892{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:26.892{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:26.892{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:26.892{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:26.892{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:26.892{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:26.892{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:26.892{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:26.876{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:26.876{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-84E2-6151-1279-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:26.876{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-84E2-6151-1279-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:26.877{69CF5F33-84E2-6151-1279-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:26.533{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97823711885970E785F8F630E5300DDF,SHA256=13438314F3445939659018018801AC9DE1F47E36F6FCDC19F6B969B2FFBE77A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:26.282{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B181213F9670ACA961160FB0020EA0,SHA256=C063B598AA84CD8E48BEAF373332102D4109493B83A626AB5409DAAC10CBE49E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:26.488{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4284MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000973117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:26.425{69CF5F33-84E2-6151-1179-00000000FD01}23281572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000973116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:26.284{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B22EF0320C1C2A3F678A71FED758E0B6,SHA256=B5DF47417E4603C8FFBDF7788AE52BDA1FA3CC1DBD77C068E1C52EDFB5A68B13,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:23.357{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62756-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000973114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:26.206{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-84E2-6151-1179-00000000FD01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:26.206{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:26.206{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:26.206{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:26.206{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:26.206{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:26.206{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:26.206{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:26.206{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:26.206{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:26.206{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-84E2-6151-1179-00000000FD01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:26.206{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-84E2-6151-1179-00000000FD01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:26.191{69CF5F33-84E2-6151-1179-00000000FD01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000973148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:27.755{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-84E3-6151-1379-00000000FD01}576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:27.755{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:27.755{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:27.755{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:27.755{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:27.755{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:27.755{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:27.755{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:27.755{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:27.755{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:27.755{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-84E3-6151-1379-00000000FD01}576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:27.755{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-84E3-6151-1379-00000000FD01}576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:27.740{69CF5F33-84E3-6151-1379-00000000FD01}576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:27.536{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=665E0C693253A4C40E61E2C76281614E,SHA256=1955CAF2E8F6883002ACD850889CF214CB3F2FBEED8190F80D958147C5370414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:27.349{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF81B445B63739F8C94509FB002C4DF6,SHA256=B8099EFD7D8A0F9C1F905FAA199848886405AF5E6727B77472EA5006C020B125,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:24.095{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63146-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000973133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:27.192{69CF5F33-84E2-6151-1279-00000000FD01}32442344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000973164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:28.786{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2FB205AFF0440A5D851677A3B772773,SHA256=4C9BA4A42B43D8681FB19790CB58D7241A5C60FF25BA2596837797B5DACE7AFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000973163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:28.614{69CF5F33-84E4-6151-1479-00000000FD01}35003308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:28.385{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1994FCAD428E582BCDB8924E006C09D,SHA256=D3D4688B26D237B72FF685DDEA9ED8BAD3ADC7CD48901ED623ECBD258C5E70F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000973162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:28.442{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-84E4-6151-1479-00000000FD01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:28.442{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:28.442{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:28.442{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:28.442{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:28.442{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:28.442{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:28.442{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:28.442{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:28.442{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:28.442{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-84E4-6151-1479-00000000FD01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:28.442{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-84E4-6151-1479-00000000FD01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:28.428{69CF5F33-84E4-6151-1479-00000000FD01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:28.114{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FCF9F5E4DE3AF0DBB2974F1B3687091,SHA256=504440101BC7FCC8FBAD0C6803E60552B240B196400A7270B894BDADD0E0225D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:29.927{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC423AF6D6F6CBD4B5970536EC6D53B,SHA256=6E5343770166B27AFD1EF30D454B6E58C7B29315F158679038AE03FB785536FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:29.553{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A0EF88C8C4D6851FBC7A1E0E222F766,SHA256=4A95ADF105086A42EFE3823195E169FF39DBE68A72B463F42390A4B41B933587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:29.553{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C2EB58021C639630005F2B71E8AAE48,SHA256=DE9C361673F64327ABEDDBEA4421E3BF2051BAE919306326D6FDD4A6182147B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:27.813{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64902-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:29.387{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=291B2A359B20CABE22F771B66843A8A9,SHA256=A00D5F6F3C38260B8E494A47C3EAA2D19DCD37030E6C2F1746691D6CE2B631C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000973191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:29.817{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-84E5-6151-1679-00000000FD01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:29.817{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:29.817{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:29.817{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:29.817{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:29.817{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:29.817{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:29.817{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:29.817{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:29.817{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:29.817{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-84E5-6151-1679-00000000FD01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:29.802{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-84E5-6151-1679-00000000FD01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:29.802{69CF5F33-84E5-6151-1679-00000000FD01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:29.474{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD7DA561D92FB8F555C3EFC938B4F504,SHA256=5B23CD0C4E6EC3ADEB1BF0911911686FC3939A571DC41340BD712138F1ED34B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000973177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:29.130{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-84E5-6151-1579-00000000FD01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:29.130{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:29.130{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:29.130{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:29.130{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:29.130{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:29.130{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:29.130{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:29.130{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:29.114{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:29.114{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-84E5-6151-1579-00000000FD01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:29.114{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-84E5-6151-1579-00000000FD01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:29.115{69CF5F33-84E5-6151-1579-00000000FD01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001044085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:30.389{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C69E89DAD01DD8C668CE26145BB4F21,SHA256=4109E097F412DEA9C213A03B9B4ED33D1BB281B547E77E790024AFD1A4660D51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:30.911{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=973C87F9317C2B6BD13222E2157FE709,SHA256=B6AA262CD6F8A996D7BA2BDF15DFC14F68F64C83668A6E7B37B74DE2F8940DF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:27.709{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59085-false10.0.1.12-8000- 10341000x8000000000000000973193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:30.020{69CF5F33-84E5-6151-1679-00000000FD01}2896508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001044087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:29.811{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65391-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001044086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:31.390{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3089CB551A1052B4BDC13B56BE8006B,SHA256=23F08D990D4AA640051B00BE599F5A802B36AE577318B0F1E1C37537E15659C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:31.020{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5111A2B9F35AB0B4FC90EC3621BF112,SHA256=531489490BDF0504C4173A0B2AEC1E4AB7F6AFEC0CA343F463E25B1DC80BA69A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:32.783{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A0EF88C8C4D6851FBC7A1E0E222F766,SHA256=4A95ADF105086A42EFE3823195E169FF39DBE68A72B463F42390A4B41B933587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:32.396{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A601FA4C2510EE61C1319C4DDD3ADF3,SHA256=E31F661F2227DCE472DD604DF1905921C4F1E01CA3C31E35834E7D9FE94DD80F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:32.349{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D43F7F79945875CEC2DD0A66BF791F20,SHA256=DB8086F759DC2BADA4F8D34294C646FA5EC9EB75639A1D2F64B6CAE829AE2F7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:32.255{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FB183199C846327BB25E574F2DAED97,SHA256=5EC87E39E182A9A6DA5A4F3E43F1B9CBEEB77A5C46AF747895D4A3861090E933,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:33.770{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F82A237E4D1F80DB15812BD6BAEC2D0D,SHA256=68F14791AD3D917A81EF8779A70ABE9D6EEC7F9F7E364A89CC759A1F68E867DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:30.157{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50600-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:33.302{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86FFA118D18F06CAB33317570DABBF09,SHA256=44DEC366A65EB51D258A05E825B60ECD0E1688DDEBFE398CDC13E34952488011,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:31.676{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60989-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001044092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:31.145{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60630-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001044091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:33.851{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:33.399{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66AC80CA2D912F87FBA151E7549B6A6F,SHA256=8005C6425F4FEC945DA348E2B810E3756581445F8A6447A230EF3AC5E630C16B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:34.396{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76986BB3D0FC75D50EE0C4C83E841C3E,SHA256=5CD3D6EC0F40792044DCFA166A0581B991782CEB73FAE2E80762C04762922504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:34.414{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D8299F32A9344327FD0A7D8C5E01C54,SHA256=8B3A89A5360437588CF782B3CC6D46F3EAE1840CC3FC43F2543E7047FBDF0ECF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:32.896{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59086-false10.0.1.12-8000- 23542300x8000000000000000973203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:35.614{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E1A55C1A3B063644DB7C1A584DCBB4D,SHA256=4EC0D75B5E5A365B14EAB23B80AAE2903AC75C402AF5F6F4B62F005EF1EC2616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:35.431{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8497EA990C16EEF697CC727957CE5A3B,SHA256=82BEA8E9F78FDD5D19FD4DDE74F1AEFF62D1A87B3D253EDB263F2848DCD3B2D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:36.630{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=393D1438CE7391C6CFCCCFC11A7BFAFE,SHA256=7286CDB775F9342D0425CD667E95796343E935951D504E708795A8E3B9B39DE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:36.450{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86DC329398A7722021B8DE6B885B4ACC,SHA256=69660F641B9CDF48467002E6D2FAC08572FBEAC85A2F3C0149BDCCA9A8AD3507,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:36.050{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:37.496{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F785AFAF827E42397D17C991BFE7BD79,SHA256=9571BE621876C6DE69237E2A11ACED67509A4FCA306DC6536C4220FA16F995FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:37.646{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B99C3666E064FE4ACDF17FFC06695FDD,SHA256=3D9E58BB458DF4299A5068A1F57AEF2D151B186802CCA5E4D391EEB4AA40169D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:35.380{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53876-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:38.661{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC5ABE7FBC68F50ED575ED9C37D5947,SHA256=2E4465E8A52DEB589B6DF7CEA88D249514028FF0CC31E4CF57E082E7C09878D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:38.611{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A8830997CB613E4C2C2886A1C3D7701,SHA256=4ABE9BFF70A1B9DD8C55FF358B7DEF37805E14AA9EF5577DFA152C25B5793B07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:38.611{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EB898833E92D9E94DD02CAB0DE28F3B,SHA256=E2E81E1B2199E2D746CCC7AF03BBE6D1C53C8A1FFA7C42E58F86D5DB9C3AE9DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:38.511{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8459D656550E7333287B73A264134473,SHA256=52E26EB143D9D1E5A21CCE14E72B0141CC716EA1097D49030BAEFD6F0EA140A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:35.720{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65392-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000973220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:38.302{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-84EE-6151-1779-00000000FD01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:38.302{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:38.302{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:38.302{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:38.302{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:38.302{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:38.302{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:38.302{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:38.302{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:38.302{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:38.302{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-84EE-6151-1779-00000000FD01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:38.286{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-84EE-6151-1779-00000000FD01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:38.287{69CF5F33-84EE-6151-1779-00000000FD01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:38.286{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0A1744BEC71D7779012C635914B97A9,SHA256=EC24595626A0DCBC8621DD5F98DAA2DE3802D7CEB219849C50914C946514575B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:39.677{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=032637045929DDC569CA6A1D08B0F653,SHA256=8A02AB7DC627796735795A89247B9865687E415DD3325FF980D2B3351D9D211D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:39.913{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:39.913{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:39.865{5EBD8912-79C0-6151-E577-00000000FC01}42962992C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:39.865{5EBD8912-79C0-6151-E577-00000000FC01}42962992C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:39.865{5EBD8912-79C0-6151-E577-00000000FC01}42962992C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:39.849{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:39.849{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:39.849{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:39.849{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:39.533{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0BE8029E59F3FC8CB4BB5752B31E4FE,SHA256=A4648D517790FB8302E7E0D2F4BF1F96DB34D0D55752B15E1B4A84CFBBA7ECA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:39.302{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00D9D383A3B14933858E488BDFBA8DF7,SHA256=912AE14D914B45A49F376A7D12CC4359CACCC0A3C20B6FDF5939E2F804BFFA23,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:36.591{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53965-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001044104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:35.757{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65393-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001044103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:39.049{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B6F2C19577B69890E7AC5278EFD0F7B0,SHA256=B2AC053F216AE16CB853370F14A882B8244D2965417557569A665BFF455729C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:38.091{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50429-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000973227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:37.443{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49728-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:40.833{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6331A46D9AA1CBE95D1DCC9F472C61FB,SHA256=0986FD1C85BB30C70B3A1A4853EB37724F2EC676B5EE0279F22FCA1CB86CEABA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:40.692{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=639919E15415624EC3D48804D77FF3F0,SHA256=10438AEBD031CD25F980CE7B4715287190504399C59B193CD37AEAFC56E45E9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:40.551{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D513100CBF2A7E90906E4C57836D7A83,SHA256=02944A9DF9159A4D9E3E916B0B0C3F0B5F3B36F2DD9E7655D81B846E5147D027,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:41.708{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=725138551B11A6079DA95570F1CD1EA1,SHA256=4552AB35FD097F7C242E3FA24126A811A69CA77CAE245FA8B31BE30C14E45760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:41.566{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3012119F88B2F509C184D911E7BBBB,SHA256=21D3051AC88EDE7A358D2AB28FDD9208B21A79F9358EACEF4571F5A14E1A756F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:42.833{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:42.832{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:42.831{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:42.831{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:42.812{5EBD8912-79C0-6151-E577-00000000FC01}42962992C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:42.797{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:42.797{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:42.597{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D58194138AD73FB72468FF14C864D3E,SHA256=E269DCCFABF2874D8DFAF74C901A53FDF9A60FED26AE78D4D5DA0263108CED03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:42.711{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0256EB787AC70250353DE0B9E0D84C8,SHA256=DD9FE96C240B2D99761CAD95FEBDE8634B05146B66964AC0EE31B3EE0B05103C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:38.849{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59087-false10.0.1.12-8000- 23542300x8000000000000000973232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:43.711{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7FB3A257E32BF1000C30D62E94903C3,SHA256=B13533F9E19801C1E546CA7DB5C57387DAC7606A03E5854B1B7C10915A794483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:43.597{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E18A9F28BB4FE08D1AC52DA45D84794D,SHA256=486E26F1417B994453BDA26A4A03DB5CB8C8FD2558F237920F8E46EAE017CF69,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:41.741{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65394-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000973233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:44.727{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE74869B0FA2B1F2107AE43716905EEE,SHA256=DD41880509E8DB3BF583538C4B9238E6672FB2D3BEC9F91BD40F79D13F3E07B0,IMPHASH=00000000000000000000000000000000falsetrue 154100x80000000000000001044131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:44.966{5EBD8912-84F4-6151-6F79-00000000FC01}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001044130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:44.612{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B4CEE335F0A956E8C7F69ED144CF3D9,SHA256=865913A82A355CBB5030ED8C01DA5CDCB5E6795D99C13BE3301859ED8FE8AB88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:44.312{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:44.312{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000973234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:45.743{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0944B1FCAD0DC8A8A2EF3D34425EB291,SHA256=419C19EE6FC0BA2A2544896F414AA48A2F28DDB85828C71CAE8DF87D43A677C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:45.767{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA0687F113026C5A7007BE52C95C61AB,SHA256=277DE65C1679A9AD31327B33CE2DFB6CF80186297249FD7CD992C408DA3A09AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:45.767{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A8830997CB613E4C2C2886A1C3D7701,SHA256=4ABE9BFF70A1B9DD8C55FF358B7DEF37805E14AA9EF5577DFA152C25B5793B07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:45.699{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-84F5-6151-7079-00000000FC01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:45.699{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:45.699{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:45.699{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:45.699{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:45.699{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-84F5-6151-7079-00000000FC01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001044141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:45.683{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-84F5-6151-7079-00000000FC01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001044140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:45.670{5EBD8912-84F5-6151-7079-00000000FC01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001044139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:45.613{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDCFF86A1E6384D7A744CB59DFF0C334,SHA256=DE04DF98E5B90846EB0C407D75FA8204C75E842582E292977FCACAB4BE6BE54A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:44.996{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-84F4-6151-6F79-00000000FC01}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:44.996{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:44.996{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-84F4-6151-6F79-00000000FC01}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001044135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:44.996{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:44.996{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:44.996{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:44.996{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-84F4-6151-6F79-00000000FC01}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000973237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:46.868{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBB8EE76800EFD649C71787321FD7BDD,SHA256=8C9E18DD1D0536D9913CBE7A9C2360D808CA77D923C5DA41E067E4CFFE87094A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:46.641{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=336AB33453B705CB72F38565B284762B,SHA256=05547EE5A077D22ADE28215334439CBD3928FEA5B851C59DE63285EF9A458780,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:46.852{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86F5DCC9FE5E88F7E5B8242C3F79699B,SHA256=CC39C15887AA9BC5E6A139DB9B65D5922CC0B1E5A317DA22B5BBD3E6347DF6F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:46.852{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF65907B034085EB896A3D6B1ED68942,SHA256=47BC0F9EEDF65BF5E36B9F419ACAA84FF211B9366C5C283CC86797BC089D6F0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:44.247{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-56225-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001044158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:46.379{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-84F6-6151-7179-00000000FC01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:46.379{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:46.379{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:46.379{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:46.379{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:46.379{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-84F6-6151-7179-00000000FC01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001044152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:46.379{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-84F6-6151-7179-00000000FC01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001044151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:46.365{5EBD8912-84F6-6151-7179-00000000FC01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001044150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:46.001{5EBD8912-84F5-6151-7079-00000000FC01}70242012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:47.659{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43DF814A508D3A1FA3D2140DAA0DCE4F,SHA256=E1217CCFE23DC0356EF18EE13DA8CF5F16B4200D853B650A4263E1F4F4197184,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:47.425{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA0687F113026C5A7007BE52C95C61AB,SHA256=277DE65C1679A9AD31327B33CE2DFB6CF80186297249FD7CD992C408DA3A09AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:48.676{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76F0C08270BDC6378B7AD63407A7F416,SHA256=02BEC357B3244F621446044071CDCB87FB1085A34CC3F048135576B9DD9998DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:48.086{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7D1FD98311A6F020E7B0F3CE2ADC75D,SHA256=A105F3F44BE3527731CD34EF0AE43B8E7B591A4DEFF7E30C33A974283E317C83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:44.852{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59088-false10.0.1.12-8000- 354300x8000000000000000973238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:43.822{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59247-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001044174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:49.677{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD03E55618B6A888C3B3B71730C54F63,SHA256=EEA5F696E8E38C1D8998F579C7C73EB03FBADF99DBA940255F8117D37CA8596F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:49.321{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86D863BAB7F322FA3B2B3EF3BAB1345C,SHA256=B55259247F34E493794A914DD9013B33CB420883C929DB11FAA28C30CF1EBEB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:46.935{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65395-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001044172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:49.260{5EBD8912-79C0-6151-E577-00000000FC01}42962992C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:49.260{5EBD8912-79C0-6151-E577-00000000FC01}42962992C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:49.260{5EBD8912-79C0-6151-E577-00000000FC01}42962992C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:49.258{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:49.257{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:49.257{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:49.257{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:49.123{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:49.123{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:50.690{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=070BBD2C36A625EC409564F07C5CF708,SHA256=416B16126A33801452466A9EBB324E05FB3A1EE8856FBB7CCDE4136587ED4A34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:50.399{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB77E9502B229950DFAD0A81A19CFB50,SHA256=6DDE5D2973CE1C7CAE2D9A7E304494D91B95A81F5BC538CF711B832C05F094C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:51.633{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BF45E7376FBA978439A92979F2D31B7,SHA256=3D57D8E88B1E86CF961CD5C3CDA202EA46032551C9ED628034218DEC77D37ACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:51.691{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD9CD2CFF99160414C38C006393F6CF,SHA256=52140BE0F4DF3079CAA659EB09BFDDDF39799566F4F0D785C020A415410E6C1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:52.821{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD2538BCCCF3B8ABF80FBF0387DA403,SHA256=6325BB345C3B9A8CA9C4F64E54273D810CA8DAA7815A930169A1D708956C4B34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:52.691{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBEAA6BDAFF3F22B152A4A9B9D51DDCB,SHA256=4BCF7DAFB53B813A1E3F2E26C46518C096E95B6E0078EA1178E01418AC39D6D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:53.821{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E147E3FBBF37B71831459BAC69B48430,SHA256=8E96E77BA8D68FD9DD981EBBD17A27F8A721D557E3D6383F46DECBE81FFE064F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:53.895{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4283MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:53.692{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B54E5227752662C39CDAB5A6DC94376,SHA256=F9ADAE85856BE09CE611BA6122F63C4D193CB3E7CE7D05CA9DF89EAC4D9FDCB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:54.836{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F462F2CA1B7E42783D6712E46EA27F,SHA256=AD40AD903CE47ED2E54DDF5D5BF59697A7EE27130ECD48D1B58EECA65986E44D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:54.897{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4284MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:54.809{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-84FE-6151-7379-00000000FC01}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:54.809{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:54.809{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:54.809{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:54.809{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:54.809{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-84FE-6151-7379-00000000FC01}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001044192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:54.809{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-84FE-6151-7379-00000000FC01}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001044191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:54.794{5EBD8912-84FE-6151-7379-00000000FC01}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001044190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:54.740{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85E34F629579D9512DE3B03B07C965E5,SHA256=C38004DA1AB2721C743189D040CB701D808DAB744FA786A2C66F736D6888B6A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:50.790{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59089-false10.0.1.12-8000- 354300x80000000000000001044189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:52.846{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65396-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001044188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:54.308{5EBD8912-84FE-6151-7279-00000000FC01}69644236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:54.123{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-84FE-6151-7279-00000000FC01}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:54.123{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:54.123{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:54.123{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:54.108{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:54.108{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-84FE-6151-7279-00000000FC01}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001044181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:54.108{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-84FE-6151-7279-00000000FC01}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001044180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:54.093{5EBD8912-84FE-6151-7279-00000000FC01}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:55.852{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAAED69DDF5055B165847E514A200E61,SHA256=E94A1B56386F75CD64718B717F499DA69701924707E608E58CC0B3F4E208F037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:55.748{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A458094CD0C58985AB96AA47D0502150,SHA256=32BEB1877FCE53727A2B50D3EFA3018D33A17F4EE29975FA110C1AE9F15F1B51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:55.501{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-84FF-6151-7479-00000000FC01}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:55.501{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:55.501{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:55.501{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:55.501{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-84FF-6151-7479-00000000FC01}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001044206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:55.501{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:55.501{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-84FF-6151-7479-00000000FC01}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001044204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:55.479{5EBD8912-84FF-6151-7479-00000000FC01}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001044203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:53.396{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62531-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001044202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:55.095{5EBD8912-84FE-6151-7379-00000000FC01}23884348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:55.042{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA2BD9B9A33C1EDB46CD9639B6110E03,SHA256=34AF4C63E3D33544164B04BC7E1B6E10F6538F8837996A50E000D958A575803A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:55.038{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E77DED6401F2BB12836FDC31A27D6A1,SHA256=C0FEDC23D5B39D052FFBBF5EB2CAC3E1FDB0C4D97B9D66E789C86212DE45D106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:56.868{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A5522E2EA65A88DD27389ABA8C7029C,SHA256=530800873673970647B26A174F1A7E494960ABD38B6255553367C527BE6F9750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:56.749{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52F6A5788B21A9508E9D671EC7F58FFD,SHA256=92491C7E198CCBE620C745A90CD8AE6E8B2585B30103D4F608237147383B902A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:56.500{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA2BD9B9A33C1EDB46CD9639B6110E03,SHA256=34AF4C63E3D33544164B04BC7E1B6E10F6538F8837996A50E000D958A575803A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:56.350{5EBD8912-8500-6151-7579-00000000FC01}60485052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:56.148{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8500-6151-7579-00000000FC01}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:56.148{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:56.148{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:56.148{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8500-6151-7579-00000000FC01}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001044221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:56.148{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:56.148{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:56.148{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8500-6151-7579-00000000FC01}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001044218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:56.134{5EBD8912-8500-6151-7579-00000000FC01}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001044217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:56.049{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:56.049{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:56.049{5EBD8912-79C0-6151-E577-00000000FC01}42962992C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:56.017{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:56.017{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000973250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:57.883{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=012337437DD69A50CEEBEEB90F9733A6,SHA256=9BFC1D4157E4A4DBF8E9499E6DE72A77B70E69BE52DB9ADE5C40DAD3449009C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:57.780{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=647E6352A0827372F2F0742F539EB430,SHA256=B09B6C1833FD20F7C2D26B8B3626482BA76387C1811E68070F1EF1C0D37DACA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:57.018{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:57.018{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000973251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:58.899{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DCD2AABD7301FF544E6CDE24BE3EADD,SHA256=E1D78757D6C9FB0465C7C8AFD29E51B4000AE389CCE2E39BC53FA9A98A9688F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:58.797{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=939435470A72CD859F15A2A11DC73718,SHA256=27FE060A2DE7A6A094A5133DF92D2B076AD95634C7004EE7F960A05F2BC1C628,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:59.817{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A5574B6C005E5AD4C1E1A7DB831FF47,SHA256=6853AC3F336C752276765202FA55C75EBF01D59C6452A70900987DABC9941749,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:59.899{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB76847FDE244390271AF3F17415AA74,SHA256=EFEC97B0B43F043246BFDD9DD3595B8E211122989999C05DB64AB671FD40EC06,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000973262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:46:59.805{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000973261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:46:59.805{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fb77484) 13241300x8000000000000000973260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:46:59.805{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b373-0xda11a622) 13241300x8000000000000000973259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:46:59.805{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37c-0x3bd60e22) 13241300x8000000000000000973258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:46:59.805{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b384-0x9d9a7622) 13241300x8000000000000000973257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:46:59.805{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000973256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:46:59.805{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fb77484) 13241300x8000000000000000973255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:46:59.805{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b373-0xda11a622) 13241300x8000000000000000973254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:46:59.805{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37c-0x3bd60e22) 13241300x8000000000000000973253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:46:59.805{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b384-0x9d9a7622) 354300x8000000000000000973252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:56.712{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59090-false10.0.1.12-8000- 23542300x8000000000000000973264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:00.915{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53D6E89EC29656456CFBFE7A0F19F8A6,SHA256=2D0E26DED937E96E8C528BB5B2EF9639FF3BFE0713BB03395E18855439343050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:00.817{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3220CE4C1150FFDF3CD9BC08E977B8DF,SHA256=9922CC6C05BF9B1ADCAE4FE7C6E3A6E129FEF0A921F05D3D53A1550B8FC14D64,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:46:57.939{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65397-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000973268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:01.915{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1AC855587B144C0621D3D22CEC33619,SHA256=D42444AFC56833F6DFB8F836A46E23642479720027528C3834039FF601C7167B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:01.833{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606A2D9102A51A71A8F51CE2E7FCF5C1,SHA256=0DC74FE26674EE72019F0D514FDF3B4EF60F1A39C38F7EFD0BE08DFBD75756AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:59.017{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de52699-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:01.461{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A63EAFCF3C5F18A9309FAEFE5BC2C41B,SHA256=6A6FDA0ABE624B4F2BEDFFB75E7D064C61CF2168D54635FDF97CE692B5B5F1AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:01.461{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86F5DCC9FE5E88F7E5B8242C3F79699B,SHA256=CC39C15887AA9BC5E6A139DB9B65D5922CC0B1E5A317DA22B5BBD3E6347DF6F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:01.663{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:01.663{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:01.648{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 10341000x80000000000000001044242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:01.648{5EBD8912-79C0-6151-E577-00000000FC01}42962992C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:01.648{5EBD8912-79C0-6151-E577-00000000FC01}42962992C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:01.648{5EBD8912-79C0-6151-E577-00000000FC01}42962992C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:01.648{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:01.648{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:01.648{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:01.648{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000973271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:00.034{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59091-false10.0.1.14-49672- 354300x8000000000000000973270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:46:59.714{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-52562-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:02.927{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30DC52EB4764C9A7B1E665929C70EE3F,SHA256=16D0DA344DF0879A1A1CF25F5AD0AF46247A14A3025BBEC931F24E21D2875E99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:02.847{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E34082A51B68DE96A0565795E80E3B8,SHA256=69A4D94E647C9A011EB2145B15B5B22CDD7EF33F51111A9CE1BB171266789B35,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:01.092{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-59091-false10.0.1.14win-dc-429.attackrange.local49672- 354300x80000000000000001044250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:00.680{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52692-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001044249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:00.512{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52558-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:02.316{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD4BDFED4CA16E7201470F71A16728D3,SHA256=1C99CB0F58856CBA2FCF8375B4E3D327C4424D52E0105EEECE83F6736B73E1F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:02.316{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C810B9E8850A25A8A2B539E6FD0A8F3C,SHA256=E2C3817B48B6F822DFC32647FC1C669F1D4180339B2533FB9B5FAB1520566DB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:03.927{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD18A0B704D354A608C4FE9D446310D,SHA256=D4D7471B633DAB776A07BAAE966115B7DFD5A88570AD2D663EBBCD1A89BAF2CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:03.862{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DEA39DF9036CBB79013AC52AEDD9123,SHA256=019E17862856FAE304C28561047C88750A29C4145F91AC6FBCA121039876F254,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:02.311{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53770-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:04.867{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B31ADC074B701FB0DE46F88E70FF67,SHA256=B16067E2C7ABD63AD684C2B95B3413A19F7C6D8B790647AA6DC01FE9B07A3C37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:04.942{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C91CA1056DB6D31E53E1D4C28CF0F5C2,SHA256=EC911EAAF80CD087CCB2CC366BC932CBB27F0FBE54FC5B9A55C5B1AFFC2976EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:05.958{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65625C25F0F511FA31ADE4833BF3332C,SHA256=F6CF84D229D965D8A82E3F021803EF42C8EB7E53E339585CFCBEE2BC64C0973A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:05.868{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978B0D69755CB611EECD431F2E8DB000,SHA256=C5D0CCF94C2F8EA18E3547481E0EB279AFC6266807430985058129E529EE3EB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:05.151{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD4BDFED4CA16E7201470F71A16728D3,SHA256=1C99CB0F58856CBA2FCF8375B4E3D327C4424D52E0105EEECE83F6736B73E1F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:06.974{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C424D7975010C4BF96865A66CB57B8D2,SHA256=DA7FF83E73B7AC1B355A2B83E46717BFEA7BD8CE91C432D1FA85C188BA6836D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:06.881{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2C2332C3E4A1788FD32240AA5BC5B7E,SHA256=C8329304A15B30588446873E3046881580F9D3CE0BD5A79BFFE3BF5FD66163AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:01.849{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59092-false10.0.1.12-8000- 354300x80000000000000001044258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:03.931{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65398-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000973277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:07.989{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=023D7AD447343D9A7D449199ADF58B99,SHA256=E22D9EECF9BA8B4BBD0659E243755DD1C43E19B67C4176C362F869CB33256DED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:07.899{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F2CACF0279DD759A7DC5AC6ECFA0C92,SHA256=6F9ACC1C82B98AC7AF1DD26E8EE4A28DB3E8CAF3D556BF0825F30825DECDC7BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:08.918{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36340562CF25D465770025500F6D5481,SHA256=B4B294BED9D74BF6A20D67569BEADAAA5337B9CBD5D66BFD2140A541B416E895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:09.920{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=161944A2800571BADC87C554CBB4B664,SHA256=65AE9308F47DD42B9289899911E5FBAE1EF582563563F130577DC3784B396E83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:09.005{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FDBB17A04AC5B40BD573DC4B0F1FBAC,SHA256=7BB1F7F46FDA51F4641BFDED265D488E725B9ABF950F55CE5D658B20E75EC92D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:10.936{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C36511FFBEF7E492FADB6D376DFC21A8,SHA256=EE9D41C0283792C478EC91179422C2681453B63F7768891CB6C4CEE525A92901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:10.786{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85FB1C5738E4F2F4C6E36090F87F4F8C,SHA256=F24C01E3FDBAEA7A1E7D0C0C0D3FF0E67CDED6481501218981C5BC5A176CA585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:10.786{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A63EAFCF3C5F18A9309FAEFE5BC2C41B,SHA256=6A6FDA0ABE624B4F2BEDFFB75E7D064C61CF2168D54635FDF97CE692B5B5F1AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:10.020{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96DD215543A901D89BE06C4BCB8D4833,SHA256=74B6B96425040734983419A963DB6F6BA3D4319C7568187D42E130A846D7B993,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:11.951{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B218D13C2AF1E12AAE5A8BE00BFA805B,SHA256=F0B36346ECCB826758D5DDAB05138EDD9DDDC7F99176645B9E8321B1EABF7600,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:08.331{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58244-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000973284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:07.880{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59093-false10.0.1.12-8000- 354300x8000000000000000973283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:07.784{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57901-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:11.036{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3EFB5483B1BEF31909FC6644C7D7755,SHA256=CBC3F9716BF15F563645798F5627058A70DFFB3BB860E8CFEB0982EB2888C99F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:12.951{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2365D373F37EB9835BE790F1DB53174,SHA256=764F6FEE1B5AEC851FEC1789288616E1984E7637A206C72769069B197149FC4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:12.052{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B72D27E26625129D0D0AC41D038C1FCA,SHA256=AF3F2C69933EEA5EE5B2D0B2CAF8AEAD1D68CBAF23C03AD00175647B821885FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:12.266{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E745DF1902FE7B5F2DFCC3B3602F4F6E,SHA256=36B1DB0D808FE0EB8BF93F830E073619938596CF662F0FD3A2D09E4797EA271C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:12.266{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0691EF7DEB79D40214D0518E732EFE35,SHA256=095FAB41155C6D570245A8FBD7B5DE379C29BD73630A62B42838C581BC52FC9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:09.874{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65399-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000973288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:13.145{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:13.067{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1105D5114F69BD54513C9AB692DFACD,SHA256=970552F9AD1278A5F1145496E6AFFE4A8751A7BBF348D340A85B291C767FC17F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001044281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:47:13.535{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001044280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:47:13.535{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fb7ae51) 13241300x80000000000000001044279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:47:13.535{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b373-0xe267d1e5) 13241300x80000000000000001044278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:47:13.535{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37c-0x442c39e5) 13241300x80000000000000001044277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:47:13.535{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b384-0xa5f0a1e5) 13241300x80000000000000001044276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:47:13.535{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001044275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:47:13.535{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fb7ae51) 13241300x80000000000000001044274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:47:13.535{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b373-0xe267d1e5) 13241300x80000000000000001044273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:47:13.535{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37c-0x442c39e5) 13241300x80000000000000001044272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:47:13.535{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b384-0xa5f0a1e5) 10341000x80000000000000001044271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:13.167{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001044270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:11.047{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61098-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001044269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:10.620{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60803-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000973290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:11.771{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59094-false10.0.1.12-8089- 23542300x8000000000000000973289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:14.083{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B4247B784026BB0AC89B8839D501A5,SHA256=2EE493BA021D6BD077410FE641664264C630EC22228D74BC8BE3F8EDE9AD3FDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:12.604{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60282-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:14.420{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E745DF1902FE7B5F2DFCC3B3602F4F6E,SHA256=36B1DB0D808FE0EB8BF93F830E073619938596CF662F0FD3A2D09E4797EA271C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:14.004{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAEDDEE0533D1F1844CFFEA7C8EE4FC7,SHA256=F9E5F0DA36AE7219BBAFD547C088BBD096FB4C2D7DB3A88642092634339CF95F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:12.659{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60901-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:15.099{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78BB08BFC5F359AA40C340442A0E1FEB,SHA256=429C861EEA10291D4B7DF0417CC80F7B602B9DE4C2FFB6BAF505F36BB79FDF49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:15.021{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=043A14C816DCF19C4818810B6A93D0BE,SHA256=64FFC8B714AEF89E4770C21543EE45F03E418B818AF7FB04775A99A7B212A8FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:13.880{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59095-false10.0.1.12-8000- 23542300x8000000000000000973295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:16.114{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E29DCF333D7BB337F1B7089CE9C37A5,SHA256=554144147E1EC5C5ED31B9231DF7968F1A0CA6685EC958A9C12247A2BBBC873E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:16.092{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E60A1BDAE58A33C9157E76AEA3DEBB8,SHA256=0B57CEADBA29EE84D25956D068395EEB1E9A0FA1080B637A61F7D176A6D2287D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:16.083{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4ACD654CDE4A09F6C0D549C25FB3A424,SHA256=FD0A1A204380EBD99D74EAFDF0E46D48253D9009880FFE699733F88E647E0BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:16.083{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85FB1C5738E4F2F4C6E36090F87F4F8C,SHA256=F24C01E3FDBAEA7A1E7D0C0C0D3FF0E67CDED6481501218981C5BC5A176CA585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:17.109{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F4A95425EA48427D404BC1A113C6964,SHA256=BD707649BF156AB33FA28927CCA46F627BEB1C050D80BDE24356F5A007C51758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:17.117{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EFE8F5D2A977A254EC19DAFBAB8B64A,SHA256=97F5D05FF81F4FD93D7C7C01340AD0BE34CD36014AE8C29C62A857DE1C2FCB59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:17.091{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3962697523E71A25F4FEC7C48C91F95,SHA256=2E51F787E4DA576FE5F29CDEE8D00CDA8C2B954F906A171B49D9CF129C569252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:18.130{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=753B7A2CB68505BFBD7349A8073B08EB,SHA256=407F8D114FF3B325B43CCDA24E3FCFB0A73A602DA2CDCC49BE311C7F0AE3564F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:15.853{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65401-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001044291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:15.769{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65400-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001044290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:15.769{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65400-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001044289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:18.128{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BB9DEE31C535973F979873699A864B7,SHA256=055B73695402E42D20DE93B8F447C2CC256028F9C30C50E95FEF20B902645005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:19.142{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF0250AC0C1AF11388BB6DA81392D2E,SHA256=D269695A3E4265F378BB5CDA6F074906FEB842A288CAB0FFF49D981ED4FD72D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:19.724{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4ACD654CDE4A09F6C0D549C25FB3A424,SHA256=FD0A1A204380EBD99D74EAFDF0E46D48253D9009880FFE699733F88E647E0BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:19.146{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A9ED95DCE15EA582B87813415AEA84D,SHA256=CA08569816C30A7DC8D634666C8A5F16AA9364D64286372F0659FB32709C1AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:20.161{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3F91052E013771B099B18D77F5CE353,SHA256=B81CB83F8DC4AC3AEE1FC0B66110F33EF1CDBF6E6E8416BFE437712AC17466C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:17.056{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49962-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001044296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:20.856{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D79E242F527E406DD80776988E20D6F4,SHA256=160B2BA367A9CC7B26F5596150D47C3E52AEE93F6523EE84EA59E77E9D04879F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:20.172{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=313FA21194E0EC08D5523186200AC2C1,SHA256=DC6AA1A1D88AB92B2CFD86ED86057A9469A64045EB6494AE9503FFCA3A9EA519,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:18.072{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.92.42-56561-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000973304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:17.636{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50591-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:21.177{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DD8A4FF90BCA82051F7470201F116B2,SHA256=123C841D3AF308CF21529C813B826E6EA6087490CC332D2685C7723003F4B0CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:21.206{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7932EC7E44ABD6A61BF044C97A6BB1D3,SHA256=0A761CD63AA0B23CC605E8A37405FEA9327DDAF82BEA41F213681C9D335C2858,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:18.513{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63933-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000973305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:22.178{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F21E9A2F17B73B1AD7D807853DD9AC,SHA256=D7F0DC6BEF244690E23DFD43281189FC10B50FA9952AFDDDCA0171D78546C91B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:22.223{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F40A6447852CC875A7C88C3BBE59AF8C,SHA256=4C7ED67FAEC350FB29DC77EA7B5D69BB75E4C8F9FF385F66C58D332204764F57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:22.023{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C1E3B76AB33888D66A1422ED462290C,SHA256=D87EBFDB663459C4BC9E3546596BF9847B7478BC67EE0DA2BA9FBBE828A447BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:23.238{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D985A39E3C17889820D1D06A487BE8D,SHA256=0CEF77CC100D8F0664CA3E85286FB7AC9BE32EC3BA4ACD583AA92ED09A002119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:23.491{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B328B0865B3CAEF3B58AC5DC31F1213B,SHA256=EDFB57E3E6ACACD78ABA7AED37F882D92F768A1211D63B758C2EA44CA72ABD8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:19.849{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59096-false10.0.1.12-8000- 23542300x8000000000000000973306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:23.194{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=742C26CECA60673A773EEFB8B91B3AC8,SHA256=932EA2FD017A2CBDE808C4B1D3EE44DC21DD181DB7C8E44A7CC0C28B1CA165B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:21.778{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65402-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001044301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:20.998{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49165-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:24.252{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B80047B169E5C9AD11361ACCE8DB2A,SHA256=90058F443F5D644DD97366BDC67A28AD468910752F8D48813B826860BC31688D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:20.548{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49593-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:24.210{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B09C78638DA51CC83A31708C9CAB94C,SHA256=A9991D8335B67CE73A7A5E545BA6B084997522594D6CD1A4C9CF67FC7030CB1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:25.225{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=351AC575E83ABFDC4264667D99B2A62D,SHA256=51BE1E8B6FE70EEF842551B777337814B64DC39AA87DF9888FCD7BBBE2AC5C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:25.301{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF907DF5845C678E441ADB653B6EF046,SHA256=4C1DA1A51CF539EB89E8D3FAE60D016F8960A10FC13B87705CFF95C986CEEF9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000973341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:26.898{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-851E-6151-1979-00000000FD01}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:26.898{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:26.898{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:26.898{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:26.898{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:26.898{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:26.898{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:26.898{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:26.898{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:26.898{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:26.898{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-851E-6151-1979-00000000FD01}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:26.898{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-851E-6151-1979-00000000FD01}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:26.883{69CF5F33-851E-6151-1979-00000000FD01}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:26.570{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C799B1E5E5896201436610AFEE393830,SHA256=099E29562DF925F7EB8C0C25FC9623DB194166E2FB9441D4EED8323EC079746B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:26.397{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5220ED107EAFA748012CA142ECA76982,SHA256=BD733781A8588C6BC93373AAFA3DF8E0C7B251F2DA893FEA81081FC62912C2D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:26.320{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E3B07FB353CBD39EF15B97B217DB141,SHA256=77F260A78FAEA861C2405DFC95DDD9BBF72B220DBD8874EC5D744869BE7E4CFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000973326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:26.381{69CF5F33-851E-6151-1879-00000000FD01}36602336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000973325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:23.744{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-52192-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000973324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:26.209{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-851E-6151-1879-00000000FD01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:26.209{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:26.209{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:26.209{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:26.209{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:26.209{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:26.209{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:26.209{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:26.209{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:26.209{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:26.209{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-851E-6151-1879-00000000FD01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:26.209{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-851E-6151-1879-00000000FD01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:26.195{69CF5F33-851E-6151-1879-00000000FD01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:27.884{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2390CAADEDD533DEE34164DCB413DD6E,SHA256=9D43459351868B73061483CCB7367C30495031CE5915118F6AAA1863AD49F1C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000973357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:27.587{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-851F-6151-1A79-00000000FD01}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:27.587{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:27.587{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:27.587{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:27.587{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:27.587{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:27.587{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:27.587{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:27.571{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:27.571{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:27.571{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-851F-6151-1A79-00000000FD01}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:27.571{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-851F-6151-1A79-00000000FD01}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:27.572{69CF5F33-851F-6151-1A79-00000000FD01}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:27.571{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95D04782B4E86DB28E145E3C49E74C0,SHA256=673448227695649137C498F4916D6D07B194DE96A989005390101BA0DCA8F6BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:25.029{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de59528-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:27.351{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24AD62F8A2C9D7F939C5AE67FBEA0AF8,SHA256=7A8AD76100DCD2A6C6C911ABF1788C55C01AAC96808FCA8485E67F5B122994BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000973343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:27.055{69CF5F33-851E-6151-1979-00000000FD01}23601932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000973342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:27.011{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4284MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000973387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.963{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8520-6151-1C79-00000000FD01}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.963{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.963{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.963{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.963{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.963{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.963{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.963{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.963{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.963{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.963{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8520-6151-1C79-00000000FD01}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.963{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8520-6151-1C79-00000000FD01}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.948{69CF5F33-8520-6151-1C79-00000000FD01}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001044311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:28.365{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11BD9EBE595000CD99DF9E99AE843012,SHA256=AEEA0272210F3A9590FE33AB5A6CF9E70CE11AB2DEFD7D9F03D8CF43E985F359,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:25.728{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59097-false10.0.1.12-8000- 10341000x8000000000000000973373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.398{69CF5F33-8520-6151-1B79-00000000FD01}33481996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.273{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8520-6151-1B79-00000000FD01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.273{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.273{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.273{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.273{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.273{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.273{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.273{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.273{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.273{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.257{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8520-6151-1B79-00000000FD01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.257{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8520-6151-1B79-00000000FD01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.258{69CF5F33-8520-6151-1B79-00000000FD01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.010{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4285MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:28.081{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54A895EAAE574CFD6A5D6EA1D45CF288,SHA256=55EC57513FEE4B870758D535F8BD171B244D4EA5196AD6A3079584DC47D4FBE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:28.081{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82A4EF0208113F4DB4EA5CC9C856B864,SHA256=F330CCB0787BBD4A2FDAA846FF46A0220891527C27D5DDD2B0619502F3C9D8B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:26.911{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65403-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001044317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:29.380{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53FA7500B7B80F307085429A6009043D,SHA256=44E2543DD5B89E6DEC03245788C97241FA4BF0ACC5490AF130D5E0145AEF5154,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000973403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:29.822{69CF5F33-8521-6151-1D79-00000000FD01}3584956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:29.650{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8521-6151-1D79-00000000FD01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:29.650{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:29.635{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:29.635{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:29.635{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:29.635{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:29.635{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:29.635{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:29.635{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:29.635{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:29.635{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8521-6151-1D79-00000000FD01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:29.635{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8521-6151-1D79-00000000FD01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:29.635{69CF5F33-8521-6151-1D79-00000000FD01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:29.260{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5F0C48E31BA460335A7138EE5C6F49A,SHA256=9DB6A62FE90880F1B9288E20DACC8DDC7BBA98A57BF38E743C3181B827969926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:29.088{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39C4EA55F6DF01CB9D9CD466816A626A,SHA256=C7D5EDFB086F9118D12EED19657C210DFE0F64084B6EA378B85DB598902E5A8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:29.133{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:29.133{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:29.117{5EBD8912-79C0-6151-E577-00000000FC01}4296836C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:29.102{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:29.102{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000973405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:30.760{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF27FB865EDCB2D9B215AC103F8648BF,SHA256=127D3EC9ECF25CB5353853F82E541ECE20FBA843A86818DA25AC4673A5BA06E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:30.447{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0543BC17AD36B9CFA00219F495248A07,SHA256=FB58EBE262B9C8A80A01E82D33D4D4C4AC814E87486F700C1555EE6F8A3ADEE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:30.664{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\xulstore.jsonMD5=2A3CC2404FD9A14E62E290A4D760AD16,SHA256=6B7B2F2D838041111013F7ABE686644F4259441D23BD63C4BB04FBAF6F1B7A61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:30.399{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF768F3146F4FA1D50755512A4B0B4B,SHA256=E6912C0912E695EF0279F5F649F70B9CCED792A641C6B27A871CD2B903A75FC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:31.497{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A428F46B08BA584457D02816E70324F,SHA256=4B9BDE854FB1E78C5A9BDA41327737234D423833F8A9E154AEBCBA6B2CDBB217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:31.525{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E4E2CC4E33122337CB161CB75C4C237,SHA256=E6FFB3B686C86B505FC49D8B5E7C290C64C461E2E378DDF8444748368253DA75,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.529{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54566-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000973407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.471{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54540-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000973406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:28.393{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com38498-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:32.619{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A756BBADA2C688EAFC8C0A137D6C8FC,SHA256=2CCFB150F7D48F2F7AEFED9139ED7A87CC41D55293FD2EB7A1CAE82A671AB6CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:32.515{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA2B53C8D02FBA6575DC541A531E8907,SHA256=49DAB24CF7E36C877D9C86819CE2AF3EDED2B23BAF84C5F7F772FD0AB273DCB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:32.353{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3B526C84BFE0E6B548A8A50493031FBC,SHA256=7DA5E47029A4A953E9306834D2EECB0EED798CB09513BD81C2E666B5DC2BAE6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:32.166{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=349F24846AD4BFF0D0C11AA5741080CB,SHA256=855553769AA7E65CA34A3379B5A0C8DEDD466BF037D6DDC587DFA3A88B7CE81A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:33.853{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE48F8AC76F2AE56661894EB4B39121C,SHA256=800CD85DE6AC498BBE86CB8391BB0BC758C651A01A59C64C32450B6FAA6FC37F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:31.403{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.92.42-51163-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:33.529{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EED1F3BB43C9A5EBB0A6EDB875E444A,SHA256=B762D7CE033128E474CC66B8B27DEB458BBC60F395154E55EAD8128B3F7A1361,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:30.654{69CF5F33-7F0C-614D-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.15win-host-542.attackrange.local138netbios-dgm 354300x8000000000000000973415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:30.654{69CF5F33-7F0C-614D-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-542.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 354300x8000000000000000973414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:30.443{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-60260-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:33.510{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC513A175F75D3C79724BE28750D95D7,SHA256=585DECD9BC65FABD3AF2E22D98130D85688CFCB797550F361F0A456B99BC910D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:34.885{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8001DA323958672CB548690FC65C0E48,SHA256=E90001A6DC10314D59395B24165857CEFC2EBF761F57E5975C58FCF985163A36,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:32.868{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65404-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001044334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:32.858{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62623-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:34.576{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=5087FF23EF9096EAA602D459F1D7529B,SHA256=507474F28493F68D805E54E163B4F0DDCC915C144F8A7A49C1BF66FD9EE39703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:34.576{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=8A6184B6CA821F51C49741668140A780,SHA256=1C8BD36AD27A16F720D12FEFB67F70C0F994BE3B6B6AAFDD9270C0600416BE56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:34.576{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=12B26EFB5577A059B36AB3F4F2B2A99F,SHA256=0F75AE3C286C187C4611E63E388FEDFD86F32A0901C0401F46F03F10EC64EE9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:34.576{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=E689EB80F2FA5150333921B047420D2D,SHA256=2EBA9194F577A480A028AC3862373F3E75BE85E89F497D57D8BBB5AAF52A522A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:34.576{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=89580DE75948D6FBA45A6F0DB6DAB44E,SHA256=7D12461F297C4A0F3F27C1ACD5C9A2A53D68B02610CF3258EA59C73294E67A82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:34.576{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=BA7503A56F6F41D018EBB7C8AEDE43D9,SHA256=5683F88B63127D587BEEB73575869AA5E81EAA70A3D607BA2D2A6CC7E500C875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:34.544{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24354B80B754F7F2F19B39ED48CBE704,SHA256=E1E4EFE85C9C8F6232A83FB068429F4A09F94BE2F90662B365569A30287027C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:34.513{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A6DC92B5327A90B4FF6FAEA68B4D54F,SHA256=10B821000D4392C6BCC96B6DAE0B48AA778C98EA2B765D6E2824FABDDB7681FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:34.513{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54A895EAAE574CFD6A5D6EA1D45CF288,SHA256=55EC57513FEE4B870758D535F8BD171B244D4EA5196AD6A3079584DC47D4FBE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:35.916{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E053CFB83E7FFA4E6E11A6B30A317F87,SHA256=3ACED46804A6E9005AC7AF99E85935BF0B2B28400562F5F0041DDF45CC2F3ECB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:33.330{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com40375-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:35.576{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F33186D37A1B832A0DDFCD2673D111,SHA256=C2508C0E633158A4EF0CEEE02E892EE949F4B1F41B078FFDD479297D72126966,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:31.713{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59098-false10.0.1.12-8000- 23542300x8000000000000000973421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:36.963{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=985E327E8B9777848417D4F5D2D7DB37,SHA256=0BE6B4F65D1EB3965884C6316F7D2AF5DC4EB57A3486D9565799BDDCB6DA997B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:36.594{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7FC0AD50714D996C4143F4AFBB59DBF,SHA256=8455B82C682A27D0A1082F07719B03AC5C233D0BA599C4A77A7F197D8E895586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:36.076{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:35.752{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65405-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001044340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:37.611{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6E879809007F6B652EE4879F58CD063,SHA256=BA4EC6BA4BA347BB56D415855A8B59122C67B7DB97424680EEB79AFB3872B849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:38.691{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=436BD110311E7B99408B197334F79CF2,SHA256=8B590DEB9F7E6E8A1DC54D6A51236624AD743783DC540BE976B2E7760CFD7BA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000973435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:38.306{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-852A-6151-1E79-00000000FD01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:38.306{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:38.306{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:38.306{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-852A-6151-1E79-00000000FD01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:38.306{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:38.306{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:38.306{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:38.306{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:38.306{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:38.306{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:38.306{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:38.306{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-852A-6151-1E79-00000000FD01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:38.292{69CF5F33-852A-6151-1E79-00000000FD01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:38.010{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F27EBBA3EB3E5F41978259F73F5CF83,SHA256=77C4DCFE806CC9C40C631B5B763A94FE6C125D35DB9EE1CA95D0F7079CEE25CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:39.729{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=569B1AAB4964EB5C81431627F4A2662F,SHA256=0A8E09061763721863C129952F6254E27CDC60E3A9383E8EAD61793BC6761676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:39.369{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5E02F00D25056D515A306934187DD44,SHA256=D42408375D286C0AC78A0660BE9B43DD6F43FC23704EF246EF8E3C5644D046EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:39.369{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=409DD21572F0AA581A7651BC776A0684,SHA256=238C94A09F87FEAC33EB20BA09DD7C98B81FC882989520169515F93223B29AD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:39.103{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B582E173B43234A458F36C54386E0A,SHA256=3EC9F496067ED6C4E0F8A09936D317F73452ECF22723E3E7A1A31E07CF644740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:39.060{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=67D3F27F3C0AB3888C6600DBA4CCF6BB,SHA256=60CC5B7037ED46C96B071AE4ACCC5018E3179593030F03818D862405C29E76BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:38.805{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65406-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001044346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:40.744{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EB2183CB1972793F216C2D2F9AFCAC5,SHA256=DDA8B2407E26DE502F388D66A9289A0A5C2ABF7DDF54D5676B1E31A448121185,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:37.744{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59099-false10.0.1.12-8000- 23542300x8000000000000000973439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:40.213{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E79E1E7DCAD607BE8AE6842E01E77C8A,SHA256=8A5D39BAA0F1E42DAA1861CE2907BC032526159FA22F65C8DC4E0D08914FF6A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:40.044{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:41.760{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1617DDB4935048265E9D950DCE0F2EE,SHA256=4EAACCBBE7F2C9381FB436AF4E2F488115505672964B49EC8263E435C62E3306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:41.900{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5E02F00D25056D515A306934187DD44,SHA256=D42408375D286C0AC78A0660BE9B43DD6F43FC23704EF246EF8E3C5644D046EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:41.400{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A843A8045312A520F4AE1CB87F011D40,SHA256=7E15962382AD55BD27FDDF6BECB58F359DC2266BACF02B8DDE78DA4368AA8C32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:42.775{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45EAB2BDEC6F59C08EA6C57DD7FE3972,SHA256=6700C0CB83EF93323AF4900C66A58CC68A2CA5E14AA5BF539346E3DBB5953907,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:39.190{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-52768-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:42.402{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FDCD7C3542A10B0619AD00798CD885,SHA256=C057C0D0ACBB0C7BE0676EC53B580638E5B0658479BE2F824A81358981287C17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:43.792{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8E9BB2921DA0675BCD1991D7E60CC7,SHA256=C5968B90A6118C6F17D762C13BF4B4C70CC7CD6188790B809E34E4C6760E8989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:43.402{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B01C818D9CD610DBB6F06C11727BA86,SHA256=EE6FFA60ECF499057BDCA4110494751B299B84CF29B921B34CAC898BA2B0A165,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:44.926{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8530-6151-7679-00000000FC01}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:44.926{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:44.926{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:44.926{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:44.926{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:44.926{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8530-6151-7679-00000000FC01}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001044353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:44.926{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8530-6151-7679-00000000FC01}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001044352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:44.893{5EBD8912-8530-6151-7679-00000000FC01}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001044351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:44.811{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35A7EFBC2D7D9E0032C4AFAD8869B9E9,SHA256=0CE450CB909E233430622B5F8F94B6DAA68EEC7D37BDEE5AFD65B7DAF4C2AD55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:44.418{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=680D16BDD0072F45AEB4173CD9ECB832,SHA256=C07825DA169BD7E37C21AE8E7A9EA3740438E8A6DA360A8C23C276A51C0F8367,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:43.934{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65407-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001044369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:45.813{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0DE9C896349037119ACE7A86FE7EAC3,SHA256=3001744C20546C8AF6D63E609A07B9B73DC299DD894A783F9A6A30AE8E921CCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:42.746{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59100-false10.0.1.12-8000- 23542300x8000000000000000973447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:45.418{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FAC3BF42F44B14042DF957D5EA0FBAD,SHA256=3488F666C8A7208E2910D92045D7C72A97905180B6263AB2FE2F283C9292C33A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:45.628{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8531-6151-7779-00000000FC01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:45.628{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:45.628{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:45.628{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:45.628{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:45.628{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8531-6151-7779-00000000FC01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001044362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:45.628{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8531-6151-7779-00000000FC01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001044361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:45.614{5EBD8912-8531-6151-7779-00000000FC01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001044360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:45.127{5EBD8912-8530-6151-7679-00000000FC01}53004468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001044383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:44.923{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64249-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001044382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:44.654{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64042-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:46.815{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9295D7E622C586B40F5AB84E7FE19766,SHA256=9150C49E4252EDA8A2B496FBC36632EB555B79E410A0CA9C3C821111386B003E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:46.434{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4347C7E8380CF6AE505C740975AC33B5,SHA256=956E3A23ECBB3511726EBB42347DCF159B5650BF4D3BCAB15318B07D9F683AC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:46.330{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8532-6151-7879-00000000FC01}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:46.330{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:46.330{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:46.330{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:46.330{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:46.330{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8532-6151-7879-00000000FC01}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001044374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:46.314{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8532-6151-7879-00000000FC01}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001044373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:46.315{5EBD8912-8532-6151-7879-00000000FC01}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001044372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:46.013{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BD59A6D65AC38713390095A0F854305,SHA256=80EC537AE697A62F758E7787C0A93B406910D0A814D171A6CA3E73581DB7AE2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:46.013{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A6DC92B5327A90B4FF6FAEA68B4D54F,SHA256=10B821000D4392C6BCC96B6DAE0B48AA778C98EA2B765D6E2824FABDDB7681FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:47.846{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40BFC3E56C879943D74E58E44482270C,SHA256=469DD1900118A680195F07618D8CA2AF38CC139723F93D3ECA2E5845F1FCD5CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:47.434{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6130F2A8A81FE7E5245CE35ED444C8D6,SHA256=DBF8FC711E6AD79D0958B737F86DE06DB8A5F775160AA89CF8E1264BA3A2FD8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:47.315{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BD59A6D65AC38713390095A0F854305,SHA256=80EC537AE697A62F758E7787C0A93B406910D0A814D171A6CA3E73581DB7AE2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:47.230{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:48.900{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E66C752578AEBBAC2A241186B04D4007,SHA256=AB9B10CA73E1F8EACAFC058228F3FDCB3B0AD14C61BAD5F21CB66788695F0617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:48.449{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10A1F1DC9F18BF309B4AFFF6E15E074A,SHA256=31235A224C24468BB575B5601AD856CC7FA13DDEA78F07C80355DDE798512F85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:49.949{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F6C2C61E4DB9B927ABF21ECFBF5AD8,SHA256=68E0AD15B1074FAB3B359B8FE3789041189272F02903ED6ADE00F0938ABAFD36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:49.449{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=446548318FD162E98BCD81A023B2BAE9,SHA256=63CCEEAC9C86237AF0987AC8D4D95807F247645E938B9D43D1C25B9E717CEED0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:50.951{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB55EDD65D82D013CF21557F6B4ABD6C,SHA256=C3E96FF17A59F4164504728FA8BCEE2300CD2D43CB89765F0BAA17A49FC4FBCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:50.465{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=956148C59D9CCE603CBE7DCCD1A8EB5C,SHA256=6588483A347F4BA578529E24905AA33B576C1D333C8CA8814E8B840F6246818B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:51.965{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B2751C4E04CFBA9F361D7274845AD30,SHA256=3825202ADAE5C9482B0A19DE1FD62B6219EEC1DC86CDF32D643B538AA9A6F788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:51.465{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDEF2A60032A1E4BEE1A0CA6B28A4E58,SHA256=57EE7B7BC35DBE59467B0C6926090C8D5974A67C12033213CECFB87FCE0B5FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:51.619{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=796698745985FA2C6BA0F02DDC21996F,SHA256=0FC2337F42E2CBD64DF9978885DA4A5710C439BA8846E8041A96BA929D993819,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:52.980{5EBD8912-79C0-6151-E577-00000000FC01}42962992C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:52.980{5EBD8912-79C0-6151-E577-00000000FC01}42962992C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:52.980{5EBD8912-79C0-6151-E577-00000000FC01}42962992C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:52.980{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:52.980{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:52.980{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:52.980{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:52.980{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0521D825F5B40F1915F49993FA6C77EF,SHA256=A6EF3070ADAC98300457A772027EF629DE5C9BCC65E4DCE158CBD979BDA54BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:52.480{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C9F95BFA6E0D4CC9B762CD70DBCC240,SHA256=B02698EBFB4F28964DA7656671157B442E41D346CF3773F405576E73F6CDEC61,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:50.292{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61145-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001044393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:50.002{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60976-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001044392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:49.841{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65408-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000973455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:48.731{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59101-false10.0.1.12-8000- 10341000x8000000000000000973460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:53.590{69CF5F33-7F28-614D-0D00-00000000FD01}7803460C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-0C00-00000000FD01}720C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:53.590{69CF5F33-7F28-614D-0D00-00000000FD01}7803460C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:53.590{69CF5F33-7F28-614D-0D00-00000000FD01}7803460C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1600-00000000FD01}1216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000973457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:53.481{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6B98983D04F5DC97812118771068BD,SHA256=C3075E8259F1D03873152798B9B8EF33DD5AF1A5350D058EBF04C98EC6E640DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:54.496{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=723579F361FD24A3497DDE7C18737345,SHA256=654382BADEF058F4992FF7A7A2A1E2ABDD463CF37C611B5B8BC90A3F87071455,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:54.965{5EBD8912-853A-6151-7A79-00000000FC01}44565276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:54.801{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-853A-6151-7A79-00000000FC01}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:54.799{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:54.799{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:54.799{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:54.799{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:54.799{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-853A-6151-7A79-00000000FC01}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001044414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:54.798{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-853A-6151-7A79-00000000FC01}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001044413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:54.781{5EBD8912-853A-6151-7A79-00000000FC01}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001044412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:54.302{5EBD8912-853A-6151-7979-00000000FC01}39881960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:54.117{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-853A-6151-7979-00000000FC01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:54.117{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:54.117{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:54.117{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:54.117{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:54.117{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-853A-6151-7979-00000000FC01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001044405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:54.101{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-853A-6151-7979-00000000FC01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001044404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:54.096{5EBD8912-853A-6151-7979-00000000FC01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001044403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:54.000{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65FE290B4C6121F4D2DEA0107E368E91,SHA256=74F4242D0BEFD657CF24670F905698370FA33351CEBED1665D3340E43F4B5296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:55.512{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20510362988A085D3093B1CD674207F3,SHA256=D93E3C8A33990A968FC36C104E4D80242488EF2F2248F16C2C0746DD56A5ACBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:55.518{5EBD8912-853B-6151-7B79-00000000FC01}60165488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:55.421{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4284MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:55.349{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-853B-6151-7B79-00000000FC01}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:55.349{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:55.349{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:55.349{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:55.349{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:55.349{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-853B-6151-7B79-00000000FC01}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001044425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:55.349{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-853B-6151-7B79-00000000FC01}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001044424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:55.335{5EBD8912-853B-6151-7B79-00000000FC01}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001044423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:55.099{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB8E780AFEB4D9F156404E7FBE089DE2,SHA256=5994AE2CC23AD80598E8AEA678AA47B2308596035F0C274ED3680971DDAD0739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:55.002{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E704AB77933D2FA2FBABE8E2CD81CF0,SHA256=A5816AE8CD874EFADCD2A5819976AE757B65BBC8F703238890336A143DCECEF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:55.105{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB26B942AB922E2154F11A3E25E45F18,SHA256=F0630F9EB9DE9CA9DB00BF1EE32C9B1B74C6F507306A34ACA4F10FEAFCB4C94C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:55.105{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F21B2F2DE5290EDCDF0E9919009F2FDF,SHA256=6AE4AE741ABEB4E2E69647F9C8C0857E70CD0737C4BFE2F879C53E624B88ED18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:56.512{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E82163343A8C0C2C8CEAB9FCD775678,SHA256=58DF84576510CBC07095E374F08244A838F08B71DA971FAEC5FC1D964B739474,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:54.956{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65409-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001044444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:56.434{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4285MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:56.348{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A36C7572DDDC6DE8E95ED9FABEF874D3,SHA256=C92DEEB139B34ECA0143B5E413FBC03225162FEB4FC8BBEDA55D8BA1D1A405ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:56.048{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-853C-6151-7C79-00000000FC01}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:56.048{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:56.048{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:56.048{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:56.048{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:56.048{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-853C-6151-7C79-00000000FC01}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001044436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:56.048{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-853C-6151-7C79-00000000FC01}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001044435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:56.033{5EBD8912-853C-6151-7C79-00000000FC01}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001044434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:56.017{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6A644C7921338B62B40ED6FDE8E90BA,SHA256=1090B998C4B554887C519F47D254076703D264858DC6944A6A5AFB44A468E83C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:53.871{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59102-false10.0.1.12-8000- 354300x8000000000000000973466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:52.588{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53279-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000973465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:52.251{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53033-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:57.527{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01522255509D3F8F6EF09633EAEC0CD0,SHA256=1B8210F728572353CE7018315F6C271FA9ED21FDCA86393DF284A70F3228C0F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:57.032{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E258EF16F00607A5CF40A7C3E00F4F9F,SHA256=A9EF0A3A95B93B487761D1028F468CF47457866A14B8D44A2A7B929F8C48E467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:58.965{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB26B942AB922E2154F11A3E25E45F18,SHA256=F0630F9EB9DE9CA9DB00BF1EE32C9B1B74C6F507306A34ACA4F10FEAFCB4C94C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:58.528{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC1DFB815A6F7DDF4BAD28DB5440ABB,SHA256=171C362288E286900D720066AC4C9E04FFC81BB99AF0B6127359579826C9CDE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:58.832{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:58.062{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E45C04A868EB0B857507395DE1BBB1A8,SHA256=E7BBCAF11F238AC50F3D9151014DE005C33B5CEDC70A435CB40E1F4ECD8A1B8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:56.248{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50197-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:59.543{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07CFC4081BF09E9B8D507D3AC239A7AE,SHA256=E814383F36723508163E6F3701E4B094D7395795ED751BE918835FFE2B681232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:59.697{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50432CD3075DA392CAF85EB5C8FCDBB1,SHA256=6162BB50C4D51F0C7EC3E30577DDA15BB5C0600116628B876896F8535A2C8F4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:57.055{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de59441-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:59.078{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C43265C3F5E62ECF4DFBD594805442E,SHA256=A6FE0940B59078868EDD13CBFE8C3AFD0CDD180DE989B887774504A5992AF8BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:56.640{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50671-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:00.543{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FECF3031948A3F6E66D8AED6EE50CA43,SHA256=F0759C6E773692F3B995072C3B9F3D6217268C6BDDF65432ABE0EB4782511B9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:47:57.817{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55888-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:00.115{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68250EEFC2448337D199B0406C8D7421,SHA256=6C33138026569973E55FAD08E88473CAC48BC3013A75C10F9A7BCE062B68EB7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:01.544{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C75ABCFE53625AB127C6BFE3C2FB705,SHA256=2CA8596422A25542DB752B982CABE723BD4A064AB0B1340F98074A4730B31F37,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:00.065{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57382-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:01.145{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F53B373ACAD8E1FE1BB49B37B0C21AE,SHA256=BE9E3FEF74A31F00C55BB5E4BA6A81BC85BD26652E13FC4E9AF8FB778C71EB79,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:47:59.857{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59103-false10.0.1.12-8000- 23542300x8000000000000000973477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:02.545{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51787EE6D1E9AF04C03DEC12646053A2,SHA256=BF88E20024C4C429AACB680A7B97C87312A7EC8994DC26E9F0A0A54A8069A05F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:00.853{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65410-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001044456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:02.146{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610369EE4EC368757454D29916AB0B60,SHA256=BCAC9021A4596868DF081216EC2E57513C555B4A55B2F5A02E362A67A6DB4BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:03.561{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF23B265B53FCF5EBA2D6CD38D3006A,SHA256=D9FB9446ABC3F3DA0422ED8CDC67D81048858F2D1E7358E2359522FB668F7900,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:03.645{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:03.414{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:03.214{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=771457FAE80BC2EBE0DB1BE7DBBB8CD4,SHA256=1EC306731A3B7ECF37440C390BB3A150D5C064A7C37A76C364FF1641080D82CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:03.146{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEA1280391EFB6CC2ECC212F29D938F2,SHA256=53E678CB75978FCEF4CC7D57E123C5C99021BE21C8556B1D3826513C63F0047C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:04.576{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4EA970C532D8F7DE0473AABCC9D2EAB,SHA256=66C4F267586C6C0E360359913869744FA9E3BBE92579C2DD25F16B49459F1C9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:04.176{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=719B054923BBEDF105378BAB94090F2D,SHA256=AB25A61F82EA4A21BE278DF74010F39851F3A538F618EA1E95E32E6619F1153F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:05.592{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC63E990C88E5BC9DE465603C9DC2949,SHA256=6FDBC505456948C4C223DFBE30CC40821FA623B8A4BC4AE61438DE4FFE25971E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:05.212{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46EED6CB0B169873A235DE55A166A09E,SHA256=F41415B670D5FF622E04E776DF40E928555397690614F7C4820B2CAF704102C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:06.607{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0DF4E3AE6DE23A7886DE4659371CF75,SHA256=06162F35909A01A7682809466F13CA94047C4C9B696B5FA7528408819CF47E24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:06.224{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A57F003CDF13700C61686C19E2A1EB95,SHA256=35F64B2E088625BCC08994237C4E44D010276CBAB88F1B544DE95EF53FD09044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:07.607{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=073D9955EDF46CF7F4B8D766B7F4783E,SHA256=5E3CB418D258BFA49A3B2C662AE8FC1254ABED2DFA1BFE90F4FD519CD24C8D45,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:05.582{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60855-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:07.255{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=787920B713A10913C00C9D63BCFE45F1,SHA256=494AE6902B9515D1F1B2E55D3B386F78E09E8D2A0EAAE27847E12223719C1AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:07.224{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=990143F7E0C5DCBF27745337A490861B,SHA256=F20503225B20A0591B6EA29A1C245467F5AB989670FA564FB3F6D86C0E11A115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:08.623{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DEC88AC7DE8C26775F7DA1C3DE9B4C8,SHA256=96097D53AF9458BB83D8D726218D07C42A7AD275338098C7AAB7E59330BAA05E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:06.777{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65411-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001044468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:08.323{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C91A1778FB47C6CCD0029E3FBED11A,SHA256=B9B90F0258F711802FED62561ED5A73E5261ABD678EDA6EA0261E80E69BCB8C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:05.795{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59104-false10.0.1.12-8000- 354300x8000000000000000973486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:05.236{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61247-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:08.123{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B78FB39F284B11F19B83AA27AC483A14,SHA256=6B297E50626B940CEEA3AF2091D3B946661531135152F3047091B5AC2702D35F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:08.123{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19489D97896D2E11F02B4E96B0F2A74E,SHA256=6A1ECBA121C34BF3830BD3683CA2670FA15FC22AFB3B00A298A689C979ED4670,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:09.623{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=064D6CA94FE1A800856FB4701F097108,SHA256=7A9E39CCE8B5C0F1B6328EB4329A289E282B5A454C6C44A8A1AD6FAE9DD806C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:09.353{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06B495C6A11BA29E769A00D6A7B4B603,SHA256=9327E5E432DF6C1BA078E8312EBD1F661E334CADDAF9339D4BC28FF35E8C9DB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:10.384{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F05C6D49151EF04E12A82AAF7E94F1C,SHA256=7CD8499FFE1E512F88286F3FD5B3C2A088F52ABA150BFE6DEF0CC8B5060C3537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:10.639{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=072C97743BF8E71B2D977D12390C33BF,SHA256=131AC05DD30D616AF7A2F6EF9BA2E8BCC864B058FDE8DBEBB59E6909E07EBBE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:11.654{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A6CE116D6C45F7663A962253D519912,SHA256=BC9AA7AA042C0A3118DA6A1FFF5BDD1675A73AFAF18128F1E0DAC12262210FD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:11.402{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=395F63633327EB6154C6451D5E2977FF,SHA256=C5EA4685FB7B609B589FC14844A50B9457D4F587D6FE99B76F5D8000E720D33B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:12.670{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7860F3D3673141ACCF16A824097E000,SHA256=77E76CEBDE1469D8360D7E3C7E4C4AE8AB98E42E88B708DA70CCB11BCE1F2D12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:12.420{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98EB2016F55A3DCB96DB67090C9163E1,SHA256=ED47DF68D84F2C9398973DC941AACC057534F8CF06C59836E1A954DC3F273F6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:10.287{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64482-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:13.686{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A96BC3EDC8FFE493BE0B25E63CB987,SHA256=0CADE8CCE00D0E2B7F87BA34D5F77F560BEEDAB4D84EFE6A5A6C9D0065B607B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:12.177{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62783-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001044483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:11.928{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65412-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001044482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:13.784{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DB1A5B9BC9810DF08BF43ADC919B6A1,SHA256=4E4B7A47AB60CC82F0CE17BB64186B38FDD848C41EF6167104D9430F55900AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:13.784{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=951EE413E439F69A0DABDBDCFC95AB13,SHA256=85BE620695B961E35C841853FA542EA27C731D6A66F213FA8C495C852ED50866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:13.437{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B1E91FB0C81BF1D19F21B682EE8FCA3,SHA256=200A060BFE945C00DA6A06295F7C231351AA622094FC575274ACCBC70CA66A28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:13.170{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:13.153{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=046F4869800F4B67055C6CCCB6451E02,SHA256=B00D20405A0C0B235911FD552D3D34D0A019438ED1A54ED15377AF5C51FCE075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:13.153{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=2F2A0C7C6FB1085830F9A1AC864F6E4A,SHA256=EE4437A7C36A49F4E2D694DA24717C62BCBAB32CEB1775894B3F9266B71C0935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:13.153{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=77DF32E92F12771CA24FF7FFFDA0FA49,SHA256=9C6B363444697F7E31953B0C1B7D972DBFDEE396B4FC70373262768E3FF521E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:13.153{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=F758C3AD291724CE14526F5104E5DAE5,SHA256=0A48A111B48E8E968728B0F08B86530121BF846EADCA458E9F65336DE3106224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:13.153{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=1F97E4A705E17EA678DF99662FE6DC95,SHA256=8ABAC5FEE95F1C1869DCB7E547A70C451CE1EC2370D47517A482A77914AE1BC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:13.153{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=28D931ADCEAD97394E27F22E2F234FB9,SHA256=623F87AFDB7239EB22C8E450F21DF7E89909EF44A0E78D5385621584288ED56A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:11.826{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59106-false10.0.1.12-8000- 354300x8000000000000000973499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:11.795{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59105-false10.0.1.12-8089- 23542300x8000000000000000973498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:14.702{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D323890AA56F791160EB481BA328880,SHA256=820778E1E1F5AA307E31DA3294E29D1BE5A648C1607B1E7DEBD3AF5AE0249C22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:14.453{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D255E467B4B7748EE33F36C8A59819,SHA256=1752C0E6B25A2169349A7C6D12AA63FA827BB8DA93FFC0DA5056546A3FE30897,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:14.045{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7C936DA68AA275B547A686D626037EE,SHA256=BE2D899895DDB4D41D0E4CEAD2FBBB52E4572B3E80353E8238A52528A777D874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:14.045{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B78FB39F284B11F19B83AA27AC483A14,SHA256=6B297E50626B940CEEA3AF2091D3B946661531135152F3047091B5AC2702D35F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:13.013{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49829-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:15.717{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C26AE814F881187A9DF4B80C52E646C,SHA256=7E92220AC6A8EAF545BF3301AE06D5981B8C04ACDF96ED92FB1B560EF6F1188C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:15.821{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DB1A5B9BC9810DF08BF43ADC919B6A1,SHA256=4E4B7A47AB60CC82F0CE17BB64186B38FDD848C41EF6167104D9430F55900AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:15.468{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC52172AF866A4542A41A3DD7B30603,SHA256=D28260A582FE29EF8335D04B3D0E6C2E595E55065147D51288D396A828777EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:16.717{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBAF152675BD7FA76E22AC60511B8A5D,SHA256=BAEF634FF3713FBED84577FFF6225915015C21FC25224C5F8A7B830819A51852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:16.536{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C70DF1078E33987F9E09AB9468C422E,SHA256=5E9E6D5F7BE57F8436FFC525A0F888FC619D6169E4B765FDEAD9AF3CDE3551AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:16.373{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7C936DA68AA275B547A686D626037EE,SHA256=BE2D899895DDB4D41D0E4CEAD2FBBB52E4572B3E80353E8238A52528A777D874,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:16.504{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001044489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:16.504{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:16.504{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFfb8a449.TMPMD5=7D93624F5CF8CBBAC0F2127142FD7150,SHA256=C36B4849C39E2CBA10DBC0475F5815452605BC43D137C3FB248F0FE8BEFBDFC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:17.732{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F337A35B6A0F8B77754579F42E204C6,SHA256=3369AA88454F4C3B98F8A0B58FC6D7ED5D9DFDD00FDE6CE42BB74D9E06518423,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:15.775{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65413-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001044495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:15.775{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65413-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001044494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:17.536{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2863F7E5357A704E5F27FA26B4DE662,SHA256=A5F994D9D92FF914D908AB44D4FD1C3CAE7EF854A85313732CE9313C18B5270D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:17.468{5EBD8912-7F30-614D-0D00-00000000FC01}8886076C:\Windows\system32\svchost.exe{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:17.102{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67681160222E920CCEF8A57BD44C7D33,SHA256=0F12A7E2F3DD35E4BC533897DFA2CE0D37685C56D293249CD020533C8C5E9BC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:18.748{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBE8D137AD09A032A820BE66000A7F11,SHA256=F55DFF5BEC81065992A1A092FB17B28FF482E950EA13BEA7386C04226CCE82B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:18.981{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBF1B40E41544450B355533C2FE239DD,SHA256=BE80B01DF37C7C2B6E24BC449521F52DA84AD37119A92B3FCBB933FCE58ED8F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:16.537{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51357-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:18.551{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E27D583D120712A2E5BAE7A27C029D8,SHA256=C9BB334A107EE7C18BE26EB663824B9D16BEB4CF093770A2640EDBDE116A2470,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:19.748{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B6F6698E99BDB23BBE24073589E8C88,SHA256=006BB08A45369C9AD2B7DE9907529F385228AB9DECC415229B5548D5B388B2A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:19.581{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAABD3C691AC739C806A3C138D85D45A,SHA256=4496862C17308415A2B369777826BA6EC99CE745C71E83D5E3A471F0FC87105F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:17.811{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65414-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001044532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.780{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36173EDE459EC61C9D3CDFC61B17ECD6,SHA256=8BBD7FC6068A1F56944E5A2E990F3D21D1D448EF52844E1278476158830B2378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:20.764{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529B52677329B628EDA16B847C02B0A6,SHA256=6935C1D0F47679A57C033EC1D80E328D5AD99C6651758D666E9A70FEACDA0DAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:20.517{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:21.848{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E1FBE1D248F3F87405298AAF17D283,SHA256=6B0FE13A8C41002591B9DDCAD39F549186C8CF1DA4955E629A1E8867E08555A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:18.728{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-53178-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:21.779{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56D0EF0BBEB987FDEDA4725B989DBBAA,SHA256=6F69306B3AEC78BBD6A5A7950B16A2F4811CB8827BC1498EC785D34946735FAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:21.467{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBD6EBD2E0541D15240BA60BE2455265,SHA256=94EBF94B90A22A90C1704036B60A1C37CFB23E7D61B42577A944AB8EE843CA51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:21.467{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=475F4E2EB5C51AC08071F1DEBFE13CA5,SHA256=88C2225E81E6567697A40D960CF75A63A7A9549456C23BF511D8EC706F8202D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:17.795{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59107-false10.0.1.12-8000- 23542300x80000000000000001044535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:22.848{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5620E748CFEB60A5675BE4B958B9682,SHA256=985DEFC293AA15F3F365B151900A9CFBB4BF60608EAAC0D920412D576DD00951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:22.781{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE3A491E938E02F2DBE1DFA649A336E,SHA256=094A0664F6D480DA3DC694EF002D14C8D37F4898E3A43653D7A233A2DE1896A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:23.874{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DDCB695DED906F48D9AA41A9F1EBD7D,SHA256=172E629F7D54C98210BDBED19584190247CCAA6CC9EBB7E3FEA122A1C9F99CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:23.863{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=986C93F52221852AA27FDEA7D0DA5567,SHA256=DA6E88B32BB2FAC625B8D2EA36E2D1637280683CE82BFC1A5F7C0F319BEE8D44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:24.921{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE2763AD261CF8C8A26C419DEF554311,SHA256=B2FDD649A1B7525E02AAA8D4C879C7A05A9DFA96537895CC1A4FF994533566D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:24.879{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1250FAA25DF92A5C27DCEAD47CAED83,SHA256=0C98AD0F760369A2BB7EBB5FB4E104856D28233C1EA6120A9581AD4F4BB2882D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:25.896{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC00127577C0912F8ACC258880BB32F1,SHA256=94084A357E8756DF41CC0333AFF9C13AED152E6264DCE2E16356112F2CDD64B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:22.924{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65415-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001044540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:26.915{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CE10C5A7FBB7664A900329FAA31A813,SHA256=D6E267AB1E24CDC12129B31868453117078F610BF69EA674CF6A1815D2696986,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000973544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:26.906{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-855A-6151-2079-00000000FD01}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:26.906{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-855A-6151-2079-00000000FD01}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:26.906{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:26.906{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:26.906{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:26.906{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:26.906{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:26.906{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:26.906{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:26.906{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:26.906{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:26.906{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-855A-6151-2079-00000000FD01}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:26.875{69CF5F33-855A-6151-2079-00000000FD01}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000973531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:26.453{69CF5F33-855A-6151-1F79-00000000FD01}40242656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:26.203{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-855A-6151-1F79-00000000FD01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:26.203{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:26.203{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:26.203{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:26.203{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:26.203{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:26.203{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:26.203{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:26.203{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:26.203{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:26.203{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-855A-6151-1F79-00000000FD01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:26.203{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-855A-6151-1F79-00000000FD01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:26.188{69CF5F33-855A-6151-1F79-00000000FD01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:26.156{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8875687940F179B81F6F6F479F86766E,SHA256=ADB32A0B85CCA98AA8184AC077CE924A40A1C7DC3A1BAA84821181B719BCB51E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:27.930{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B9953D5660F276A057AA7EC886DA095,SHA256=0102F1FFD8550276D18135145E500415C2F27EE06A731B8F3485F8AEBC82A2F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000973563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:27.578{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-855B-6151-2179-00000000FD01}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:27.578{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:27.578{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:27.578{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:27.578{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:27.578{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:27.578{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:27.578{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:27.578{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:27.578{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:27.578{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-855B-6151-2179-00000000FD01}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:27.578{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-855B-6151-2179-00000000FD01}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:27.564{69CF5F33-855B-6151-2179-00000000FD01}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:27.562{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C66D505EDCDA5C9694A97C51EA94C4B7,SHA256=295F2564411115FA28E0C7CD6D8CB97D23D6988B25B1D5E9A414E50E17268EB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:24.361{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-54902-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000973548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:23.812{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59108-false10.0.1.12-8000- 23542300x8000000000000000973547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:27.140{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F86EEC274A18B7590F22B6CD7AFCD1D,SHA256=A8BF605365A487A236960969DD0A485658574478403CBFAD9BE2C0C978071FF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:27.140{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBD6EBD2E0541D15240BA60BE2455265,SHA256=94EBF94B90A22A90C1704036B60A1C37CFB23E7D61B42577A944AB8EE843CA51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000973545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:27.093{69CF5F33-855A-6151-2079-00000000FD01}29961080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:28.954{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-855C-6151-2379-00000000FD01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:28.954{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:28.954{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:28.954{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:28.954{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:28.954{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:28.954{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:28.954{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:28.954{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:28.954{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:28.954{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-855C-6151-2379-00000000FD01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:28.954{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-855C-6151-2379-00000000FD01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:28.940{69CF5F33-855C-6151-2379-00000000FD01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:28.704{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F86EEC274A18B7590F22B6CD7AFCD1D,SHA256=A8BF605365A487A236960969DD0A485658574478403CBFAD9BE2C0C978071FF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:28.689{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=355AB367B971199E63A83643D111FCE9,SHA256=F14C9A5356868F7A5AEE0DD6B760A55DFA638567599AB707CB9343613959682B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:28.535{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4285MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000973577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:28.453{69CF5F33-855C-6151-2279-00000000FD01}24243420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:28.265{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-855C-6151-2279-00000000FD01}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:28.265{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:28.265{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:28.265{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:28.265{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:28.265{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:28.265{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:28.265{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:28.265{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:28.265{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:28.265{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-855C-6151-2279-00000000FD01}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:28.249{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-855C-6151-2279-00000000FD01}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:28.250{69CF5F33-855C-6151-2279-00000000FD01}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:29.859{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=863C6CB4042CEE2598704BD2580EC0BE,SHA256=6BD631C55EF3E8614FDC2E9FEC590B9F6AEAD1479FFFF6260CA0F3F12D1F3ACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:29.859{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F8B1073D762EED5AAF9E8FF6BA007A1,SHA256=F32C52DBB1E6599DF6F09D66CE5824EBC6D88EB3DF40B067C88E7B84AA928370,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000973610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:29.844{69CF5F33-855D-6151-2479-00000000FD01}34524000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:29.160{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E90F775891A66275880BB4B99A9DC62,SHA256=AFFDD1B4CCAD3D3C065B524441BED7886C1141D3FFF83E35B1F4915AC60094C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:29.719{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4E358BBE07CEA78CAB35C09FC72CEDF,SHA256=5B6B1A76C1CDB0E85DC2ECAC4ED0C49B2DB847F3D31AF442C3909472112A5C05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000973608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:29.641{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-855D-6151-2479-00000000FD01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:29.641{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:29.641{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:29.641{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:29.641{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:29.641{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:29.641{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:29.641{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:29.641{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:29.641{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:29.641{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-855D-6151-2479-00000000FD01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:29.641{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-855D-6151-2479-00000000FD01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:29.627{69CF5F33-855D-6151-2479-00000000FD01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:29.534{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4286MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:26.003{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse110.10.193.201-52811-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001044547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:29.013{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=BF2EE6C869CE9793E710C1A07C9EEF0C,SHA256=482DA004B5C41B3F315AAF85ED54B3BD0268573226F0B0E78D29FB346FF3CE33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:29.013{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=BD7E08DC757BE198BABE4B26DAA194E6,SHA256=B2F7152C5742241E102ACE43E45497DBF997DD73ED395E06FD87C40FD56CFAEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:29.013{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=750793E88D55E33888A61C3662BD9912,SHA256=186BB2A3C4A702A08E0336D807CC8E1677FE3C4C05FA7523CC635336EB45278A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:29.013{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=9F1C4F9AFFC57DA1F5142C4A07224A86,SHA256=F207C6F4646B0226544902F0E98D0C8B8CEBE4996354CA09DDCF85B50EE3C54D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:29.013{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=8367213042BB0EA305D80FFC389174B4,SHA256=207E409E16AAF4A2369FE43134EE6452432CACABD45F96EA2D8545804BB4D501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:29.013{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=A748FABB02EB400B1AB5F2BAFD75A756,SHA256=E0605E101ECA7CD8B4135F40DA2D97CE3A47D6E6D140084A60F6907542A7C424,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:30.866{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD88846C664B3DB6D8C9829D840E6369,SHA256=2C2734DD49C1B499FF38975F268F4320D342A5853CEBC31CA1BF8A397E5521D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:28.867{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65416-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001044549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:30.243{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5283179B122AEC1F0552FC8E25E705B,SHA256=9570AC5E45654D7B05B3844DB08711E3A77D37DEC61426B29190FE5C24274B8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:26.755{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58347-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:31.881{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C2D3029E8D15C44284486DF93CA66B,SHA256=19A5FBB24DCD5B50D509F5CB76D8B314A0BBE5D7A1D6C0B10D87FCB67789A4D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:29.720{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61188-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001044557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:29.549{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61070-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001044556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:29.360{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59314-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001044555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:29.318{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59270-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001044554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:31.343{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:31.258{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6A373DA9C26B20A93A7CEB75B55F7F8,SHA256=C3C9D2D553C96D8200A0B65F0D2D512EA51689194E216A3DB0E1CA80283C4587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:31.196{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B53ECF4B5E0DB20E2F05641874F0712C,SHA256=ADC99CE5D1E480FFBF3CE82F414EABF708552DCE60479128D17F918D1A923104,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:31.195{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B8BFE8872320FFE6C88165EADED6F9D,SHA256=EBB73B92503BAAA77EBC016C66A8BDA1B0A795DF364B6288D036C51C74AE9E9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:32.897{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=061239E986CC3687171811A8EE71E05F,SHA256=5946780159DC57E63802CEE0FCA706BDC9580FDA1C4CC9C9298D540D7FC05E20,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:30.843{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com61923-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:32.626{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B53ECF4B5E0DB20E2F05641874F0712C,SHA256=ADC99CE5D1E480FFBF3CE82F414EABF708552DCE60479128D17F918D1A923104,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:32.492{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=688EA18187E05F2BE874336DFD5C1FD4,SHA256=3703E179FCDC03988CFB68D3C566840515DF976891733EC530C80BBC1C162CCF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:29.835{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59109-false10.0.1.12-8000- 23542300x8000000000000000973616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:32.366{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=01022A1868FFC388C2BF39EE403222A9,SHA256=622A9A62B74138E35B96E32C1246BD577D52FCE36E6EFE7FC7314B279E89E750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:33.897{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F34AA1BD2E0CBAC6D9DAD4369FA42C99,SHA256=69D5522481B9C8F980E6C79D7F2B422CD658FB0C92E94C58CD28EFE755FF6408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:33.509{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32FC6F7D112D948715378F9F1246A2D6,SHA256=C748DBA94576D1A8B0B1AD310768BAA937900BA7A5A3C56D539ABD42452DEEFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:34.913{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EBBB5D366C709DADD0D647437A08118,SHA256=3E439CAE2B3FB23E28BAC6AEE9C14393D9A49D5C1677A5688F599CE9A9BD4652,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:34.655{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20E01A26BC3DF197448FEF303D2CE96D,SHA256=6A73F7F6E02A16FBE5F0C3D55B9991E52454D9CDDD389EDEFE182F50070E2770,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:31.456{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-36356-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001044564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:35.688{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=601B66DEF95279A10F07B64A1691AF39,SHA256=63C2A1D1625502620965BA710DAA0306FBA6B155B26BBC0E98BEDE7ECF0B27E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:35.928{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B81D2825201FCA1E537F22A0F57E7BC,SHA256=C007E5C26C4CA7044D6FB1526DC44654C012BD52515F0DBF1E3861A8F2464DA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:32.758{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de52162-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:35.194{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B07FD8E6125D0A099E7874FE037925F,SHA256=3E19F0B5D81C64B085FEA3494E2A4BD55641B6F33166FFABB1D3E06611FC47BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:35.194{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D0816D058F85238B11579D53E10B180,SHA256=008AA3A2FF49993888D123D358DAEB662239CD753B99A05E29E33E80E898F7B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:36.928{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DF985CF283C9C2AE8A97EDB9A6AE8C4,SHA256=B1A781EE2DFA46C4A57624E37588C64A2E9EB3EFE11558A5C66359F7EBE7CCC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:34.762{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65417-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001044566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:36.721{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06832699207EABE7B53E458AB817E53A,SHA256=8E3864B0169C5A1C0BEF30898835682C4D65518C099113D8A210987F58C39F8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:36.106{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:32.962{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-45176-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:37.928{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C7EAB4387002D74E71E06AC542B7FB2,SHA256=6B29D7DC78A4C7A363BBABB19D6C72282D3A735DDB362442551F00D235076AFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:35.776{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65418-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001044568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:37.768{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C52D1A89AE43FB16F312F962E02B3A,SHA256=7DB507FCBB242368814B8C018E81A7617685C0C7973400F0B2BD7D84A6CB6ECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:38.944{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D71D110B1EEC08F57B8B76F0EA23D5F,SHA256=84F2800AB227B8370F50647497D6C90AD959EA259DD535E8378DB6CB2FBA89FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:38.804{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA862DC086B68DA493E5DD09078820BC,SHA256=3BB609D5A85343D084BDDACA2C3467F4299832F7479C3C50EB9D54DBAFD28F2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:36.069{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50684-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000973644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:35.890{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50454-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000973643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:35.788{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59110-false10.0.1.12-8000- 23542300x8000000000000000973642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:38.319{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B07FD8E6125D0A099E7874FE037925F,SHA256=3E19F0B5D81C64B085FEA3494E2A4BD55641B6F33166FFABB1D3E06611FC47BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000973641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:38.194{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8566-6151-2579-00000000FD01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:38.194{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:38.194{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:38.194{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:38.194{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:38.194{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:38.194{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:38.194{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:38.194{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:38.194{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:38.194{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8566-6151-2579-00000000FD01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:38.194{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8566-6151-2579-00000000FD01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:38.179{69CF5F33-8566-6151-2579-00000000FD01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:39.944{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD715F0A3070472E1AA56CBFFE325D3,SHA256=9AA4F436132E1B531EB4C5F35E9C47641B4596AE9964069CA0905170AC618952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:39.819{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F72C48B5359E701EB6129C7B8B8D776,SHA256=21D74B27D7EC6F8DC5E027BD2052DB0FCFE1AF61A3264BA6494D66CD31A6D946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:39.819{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D469D04909BC272DBE8B16AC70DDECC,SHA256=575D0477E573E19B624CCD635794CFAAAD6C4EEB3336E2133A18D742982E359E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:37.159{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64796-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000973648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:37.139{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-18032-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000973647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:36.671{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64563-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001044571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:39.067{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2C1577EAEB4552726B43CFFF237097F7,SHA256=5D0CEE89F0F49ECD62BF3A5DC9068FB7C6F37919531315206B5649FFAE934D60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:40.834{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9874392FC55B26B5106AE50FE26AFE9C,SHA256=62ED6E9DB0EF4DDF5D9DCEE7699D6481AFA16FF7C68276FC40C01111527E182E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:40.959{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1C0D254E33C50AEF28417CAFA17F1FB,SHA256=A222F22B81B8EF5E5145757C17CC9E98E049F506C85FD74ABE9792E410378A7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:41.975{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D851673E96B00F17746BFC96172C8F5,SHA256=B5920B65C373219A871B3C46F62AE6066BFBB7D11FCCF5EF6DFA7C2E6900AA4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:41.850{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E69406452C9930D021850210CA76896,SHA256=1B1A95F9862E8A4D421777DB5B960110EAFC9E77773967E7A72136C8C841F44D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:39.926{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65419-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000973653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:41.475{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C23EC8A335B7A2D7A88AE5FD69401E4E,SHA256=35846DBAA8D53802A5C8B484C025D1D47739A2E1E05EBD5E638B9AFD06EAADC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:42.850{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89E1AF47896413403D43183D7902C4D3,SHA256=36F21C4015A4BC5DFFCEC91D37AA54074E617139903907B723DF492A5B64E695,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:38.711{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-27207-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001044580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:43.884{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C1247596ED9DF079B87EB17E51DC5BA,SHA256=EBBD58951AB70103946C410359547CE179EA4B06FF4FC0F7F3821EAE0A35122F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:41.753{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50679-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000973657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:43.192{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2269A44CCA9B3B467E889D621BC872E0,SHA256=AADB69FCEFC6046C221FC8921175701A43671CC0E3494913512B8A4FE023D529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:43.719{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63163397102578E554AB3E096EA4FB79,SHA256=C3E10422DCA3BA16C5065B0098DFEA416E7FD609EFEB2FDBFF47381C96D6E611,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:43.719{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB073B20B1386E4338930CF27C36E34A,SHA256=A96A8F84EF67761640119DF199B32C851E06AFD6E412A9A96F895816E3E6700E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:43.051{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6ACDA5B3EB283D2E2D46A08858348F54,SHA256=0176B2C223D470C5B10F43D10EC7FE2664F281989FEB15EC47FFA613DA07FCD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:44.902{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-856C-6151-7D79-00000000FC01}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:44.902{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29573731083DFDD2BDF9CCA9558CD070,SHA256=519791D08C38CB6724BBD7DED586615E7D03604493EA106B7200297D9A14099E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:44.902{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:44.902{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:44.902{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:44.902{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:44.902{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-856C-6151-7D79-00000000FC01}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001044582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:44.902{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-856C-6151-7D79-00000000FC01}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001044581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:44.881{5EBD8912-856C-6151-7D79-00000000FC01}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:44.489{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91473B49E61E26E319B4A745EC6AEF08,SHA256=EE98747C9BE261C7C85520FC19D32DE0ABD11CB401A344BDA801BF8094D4C058,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:40.300{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-36415-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:44.348{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F0A8431CC7B92324607B66DEFB03F5C,SHA256=E973D673723B4DA726FEBDA1B37D15EC3C958EBC1EC2AB0A3E6178222873C77B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:45.964{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=210984F7F3FFD6382C0B7270235E7FDA,SHA256=04A0E22B441C1598BD203A591274146C9EE94E7938E69A0F598640B3E392F373,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:45.958{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4B1AB4DF8E42B41913F37AAA343E0C7,SHA256=4318E04F038B118D2E4C133BB715D3023141C1F47375DD8F78190A63F616B12C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:45.583{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC38ED806D8A6B49F579374D76D02E9,SHA256=47716F8909443C51AB5A72D2683D7E35565A558650C43BE77E2E5E33A5B4C86F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:45.933{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:45.895{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63163397102578E554AB3E096EA4FB79,SHA256=C3E10422DCA3BA16C5065B0098DFEA416E7FD609EFEB2FDBFF47381C96D6E611,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:45.580{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-856D-6151-7E79-00000000FC01}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:45.580{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:45.580{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:45.580{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:45.580{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:45.580{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-856D-6151-7E79-00000000FC01}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001044591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:45.580{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-856D-6151-7E79-00000000FC01}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001044590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:45.565{5EBD8912-856D-6151-7E79-00000000FC01}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000973662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:41.883{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-45962-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000973661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:41.677{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59111-false10.0.1.12-8000- 23542300x8000000000000000973666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:46.676{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F255D953E8B1040AB0DF0BEE5AA88FB,SHA256=DB7FF8CAB5A7B81747ED0F2EFB16B211A5E701B0D7517DCD2C3F0416180122C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:46.380{5EBD8912-856E-6151-7F79-00000000FC01}22844300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:46.164{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-856E-6151-7F79-00000000FC01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:46.164{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:46.164{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:46.164{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:46.164{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-856E-6151-7F79-00000000FC01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001044603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:46.164{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:46.164{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-856E-6151-7F79-00000000FC01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001044601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:46.149{5EBD8912-856E-6151-7F79-00000000FC01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000973665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:43.300{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-54090-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:47.723{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DCEA3F144A7ABC654739387217DDB68,SHA256=1DF8A25D6781212228C18BDBE9CC84014A66B935704945ECAC583E23320358AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:47.234{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B1D045841382FBC1D0B95EDEBE64417,SHA256=96B76DF6CCFB53A8CC60C5217FA93F52AA5DA6BBB91E23438D6DA3FC6ECAFC8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:46.996{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BF1559BD942EE434E604B4DDE325DD4,SHA256=2CECA8FCF88826D3B5B80AA57DDB552EFAA16DC2EE0017F6300DE9F731C9B11E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:44.767{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-3113-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:47.520{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09EA859B0EC9F33A809A6F0A52F30F7E,SHA256=F46D32268237D6B749144963550D59A2C8455213D65FC3084CE79B8B0DB52630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:48.754{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBD5D977ACA7560A50C918F942C83273,SHA256=9588CE5B7FBC9B487B8A056DE0224E31917C3849F3D258D75708174133235F97,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:45.858{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65420-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001044612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:48.033{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FACC46EEBC9D1C09C62D02DEC27FFEC9,SHA256=75B49B793F02E61704FC6A26371D8CD5241411F71AF9E0679E0E16480D711B19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:49.942{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D40D6C2DD7DBAE707556684C7DDB84D1,SHA256=09E3EBC9A614B9226995DBF68B457E4D1801E7D79069593C938461BAD65F10F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:46.827{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65421-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001044615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:46.827{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65421-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 23542300x80000000000000001044614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:49.048{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D99DF8EBB946E2CA0D7F2EFADA252E27,SHA256=7BDF05D88873D04C3FAADCEC5A7687572CBA59190240A70BB96BDA99A9F1684C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:50.989{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C593E639D0FEA4D698D2B8934E3E33EB,SHA256=A0EE4F4FBDC5B8F5E7680EFBB366722870808AAD3CB6F5FFCFB91169F3912B7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:50.878{5EBD8912-7F30-614D-0D00-00000000FC01}8886076C:\Windows\system32\svchost.exe{5EBD8912-79BE-6151-D877-00000000FC01}5020C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:50.062{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83AB5E8E07232A938368437A65274AA6,SHA256=2019229689E428F10C0AC44BCECFC856929DBE8852EF3938424DE251770C9168,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:46.880{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59112-false10.0.1.12-8000- 23542300x80000000000000001044619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:51.094{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63E6766475201D0153B1DA58ED4092C2,SHA256=51E050CC0CA6DA8D856FFCCFD74634109C5EED85D090A1E3C4E38A48B1E6FC0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:47.683{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-12254-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000973678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:49.817{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com39977-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000973677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:49.697{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56390-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:52.473{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8F12407675F33C5E11EB5EE8E61C88E,SHA256=5238A2D7AF66909CB25AAE9DD68C5171012D3E09B745D57F836062629881728D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:52.098{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB39B66E5F240BA30D26AED2082922B1,SHA256=A88F5A5C632F5DB1345FCE0E0C8F5DBE32A795F4C512649D742C536D4B0AB4A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:52.161{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9276BBC5A50D10014FCA89778CEEBF0,SHA256=AF00C10A4761ECFBD3A4145F6AB7A9E9C50A1DAA573D29C5662804C45ADFA709,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:50.416{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56189-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:52.111{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EFF1A019DF215F2C3E4068AD7A64C03,SHA256=952276C404CAAC4F0A940CE5F8B708D96E7B325DA490354000ACFED71FBEDF49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:53.114{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F532B8D190B0C0C21F5025B32B0E4F,SHA256=7E8EC189305D1F8A1EDE8EEC998D05E7F1D62062B174BC07C964E5EF34EEE92D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:53.291{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AD4B8B40344BA175748E5AEB66F79C9,SHA256=BC94884B910064C5F4C9B1880DC943666730D982F91F1B3487EBB8A87EFFA176,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:51.784{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65422-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001044624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:51.646{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62905-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:53.129{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FEDE8FC8F23DA479711A6DB4369435C,SHA256=AC14AB0C34F16A710DDDC67D7794077952FCB287D81458B4AF08B2D053AF8303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:54.130{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EE07C33DBB57A2FECDEF9ED4165FA4F,SHA256=5A83838AF9E10242532751E3F7D25EEFC605168C37E539B4764EAB52D6184786,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:54.812{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8576-6151-8179-00000000FC01}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:54.812{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:54.812{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:54.812{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:54.812{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:54.812{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8576-6151-8179-00000000FC01}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001044639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:54.812{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8576-6151-8179-00000000FC01}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001044638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:54.807{5EBD8912-8576-6151-8179-00000000FC01}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001044637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:54.308{5EBD8912-8576-6151-8079-00000000FC01}16485836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001044636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:51.944{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com42333-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001044635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:54.129{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8576-6151-8079-00000000FC01}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:54.129{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C85F8F8F1B7386604842FF0E4F3567AC,SHA256=B5B0297533A63C858FB3B63E70D70B1FF896FE29526575E2166B2CEE01D9EC2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:54.129{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:54.129{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:54.129{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:54.129{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:54.129{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8576-6151-8079-00000000FC01}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001044628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:54.129{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8576-6151-8079-00000000FC01}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001044627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:54.108{5EBD8912-8576-6151-8079-00000000FC01}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000973682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:52.895{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59113-false10.0.1.12-8000- 23542300x8000000000000000973681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:55.145{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6E485897146DE47BEED5AA2511AACF,SHA256=51AC74C17CF7C6B87B47C8931E8EBE9F07661F12E1E72FB584E117AABC231306,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:55.859{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:55.375{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8577-6151-8279-00000000FC01}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:55.375{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:55.375{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:55.375{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:55.375{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:55.375{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8577-6151-8279-00000000FC01}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001044651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:55.375{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8577-6151-8279-00000000FC01}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001044650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:55.361{5EBD8912-8577-6151-8279-00000000FC01}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001044649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:53.416{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de62286-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:55.159{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=358DF4ACF06109295F345EE160D94017,SHA256=5E4CB3B618AEEF7CD04D8BDEF0CC38CC84C71E78B9812A24F6C5F9B85D45D839,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:55.128{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4930EE2F2F7F96B1B4410C15EEEF06F4,SHA256=5CD9AFFAD5D015C204B08B4EBF5FD98DED372E17D9C15AF9126A05A05CFC1FC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:55.012{5EBD8912-8576-6151-8179-00000000FC01}67124616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000973684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:52.902{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-44224-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:56.145{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F98BBC4F746D6AB06B76F6D596272BA3,SHA256=00F899489C27646520E9730A37DC99B2B1C4874C3AC6D848DD22B1B9D4A61E3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:56.976{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4285MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:56.227{5EBD8912-8578-6151-8379-00000000FC01}48926816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:56.175{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADAD46A5EE2E220B7FE99269CC60012F,SHA256=0DDB16F2A3B4752CF0B7ED434BA4610E5AD7E0CB6B94F2964860E7E4DB429B8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:56.159{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F18B78FE21702D33C79099C6AFCC04F2,SHA256=0736AF5589516BA4CC7417B55F21DB39B143C10AD0A44B066729C41EE06D51FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:56.059{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8578-6151-8379-00000000FC01}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:56.059{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:56.059{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:56.059{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:56.059{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:56.059{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8578-6151-8379-00000000FC01}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001044660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:56.059{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8578-6151-8379-00000000FC01}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001044659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:56.044{5EBD8912-8578-6151-8379-00000000FC01}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:57.161{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6CE17E6663D2F58E386F1D65D287DF2,SHA256=39A1217DEC89800A5CD5C62F6B22020E15104299706EB16BD2BB0F58C9BB14F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:57.975{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4286MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:57.673{5EBD8912-7F2D-614D-0B00-00000000FC01}6241764C:\Windows\system32\lsass.exe{5EBD8912-7F11-614D-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001044672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:57.342{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:57.189{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9CA130059795DD1C8E8F64C7DD6C67B,SHA256=EBEB137B446FC7A532B3D5707C3A3544F0BC96351D9CF4DD76B38B9DC7941FF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:57.277{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local65424-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001044679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:57.277{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65424-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001044678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:57.268{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65423-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001044677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:57.268{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65423-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 23542300x80000000000000001044676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:58.589{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B92F8B78ED4B6B6908549FEBD8EA966,SHA256=01E84AB03FE3E09BC0917514C3171ED82FFE33A5BC1EA8693B60E0D7CD8D5F3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:58.211{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC7B42DE40767C5FEE767F83DC3F7C63,SHA256=5224F323489878C025B48FBDD1F3BBF8983758952C40C023C09A34ED3A6E5026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:58.208{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AD8B73331F7B3F1C49FAE5FAF247B32,SHA256=A45CB25020DE503B24C0BA9BBF18DBD587D1362408DFB8F2D8F5F95535A77145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:58.208{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F7BCFDEE5B233BC47E1E8DE08A4D808,SHA256=C370CC38C79A6A609A6C284A2727CA0EAF536859AB39B41ACC6A37DB7AB869C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:58.161{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC71EB5106163594BE34332C67F26F95,SHA256=78882DE743A2F793727450B22CD4A72DB854BF9AB14C778E4F9D9EF4528C295E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:59.226{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F8478C6119712F6D91D88FC9F7AED4,SHA256=B6EF9FB6E096947F6C970ECFB7AB19DC531A23AFAFA36E721CDD16124DD77AB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:59.176{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7573811E0F3FB3EA5C16AEC89F18622A,SHA256=C9905422839817F96C2B667C546226A240AF0761DCDAE7500FEAA25F57BA76BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:57.957{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-53253-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000973692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:57.560{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61363-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:00.692{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AD8B73331F7B3F1C49FAE5FAF247B32,SHA256=A45CB25020DE503B24C0BA9BBF18DBD587D1362408DFB8F2D8F5F95535A77145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:00.192{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B22278771DE2EA3847AD1BEB994E383,SHA256=2BE19F624368D82CBA46BCF02051C2623D68D16DDF24A31AD1D13CD3719EF269,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:58.232{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61107-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001044683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:48:57.718{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65425-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001044682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:00.243{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3250D3358008E3F5FFDF1B963B59E836,SHA256=F718CE7721B47A41B20F414F03AD3F86DF8E5AF1D23A7A7EB7402A3484CEB9B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:01.208{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76F7DEBCA15CCD9223DCCE720C45AD3D,SHA256=4E6A5BD52093DCE3B342E2DE7FBC477B31F53EFF05EADF585085F9111EBE48CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:01.257{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77B62B8AF7F8FA45CF51CBF2E7A61CD3,SHA256=84ECA6D51802EEE46622EBCA5D7538A17EDEDD12DDE2CDF9B06CFD69358B327E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:01.026{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=715058F611BD51925DA23CA044A2AE57,SHA256=FA5E58642705EE870B2BD06A1DE14F83C5275C44DD14B79AE17470295F4E4DA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:02.222{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34DF0F2D29721F6AB4692FE17812A3DA,SHA256=553FC66E5B28F81262B32C2D541E77C039F4074362CFE065E04D4A6AA6437CEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:00.279{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-61907-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:02.257{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B9B1B2CEAD5349AE62902A071E9C9A,SHA256=41D523828A2AF46FD77B7B13E81A111DC38C2CD1E223011FACB9D553F789C2F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:58.833{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59114-false10.0.1.12-8000- 354300x8000000000000000973695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:48:58.305{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-15454-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001044687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:02.189{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AD4262092D5BA10EACF76AC6EF622B3,SHA256=A149E159E07A11345B8C2D3C0C8C27698E44CD01D1C91FCC2C5CEF342AA7D47A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:03.566{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6C82C5AB303C1FE55FCC706A50FB888,SHA256=44931637D1F890ABE637B9852AB6622D639E2F168376E00B4462746A19B93A81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:03.238{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED3A7B9ECA55271461A5762E346EC2AE,SHA256=8E3B3224A0423E5565C968BD631BC016D64E709FD244F1BC3D027ECC0883ABB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:03.357{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04113A6701613D6138F62CEC23F40261,SHA256=4D71992D855E4B31EE4A43BCDAA4ABF7DDCF4A8109EA14F2904EDBC4B623FE6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:04.425{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96CD2D4236B937A1FF69505BB9CADE83,SHA256=72D2FB9A51BC0626C5BEC4B1EC8136AF3019A42DDD9563B4FCAF01A7541F6B95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:04.254{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38931D3EA09216B341CD9AE5A5ED8CA5,SHA256=F754E54C842E0C252BB2263A2A153CB82BA595A04650A2622BA0C6000E9CD903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:04.387{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=364F2331EE8670B4CFCCFE296DD81855,SHA256=C4C00CF83ED0320D6F4AA8E31D5AA1BE5CD4B5337D433AF89D772B474742138F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:05.854{5EBD8912-7F30-614D-0D00-00000000FC01}8886076C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:05.786{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=2C339035CD20DCE7614FD4948B3ADD7D,SHA256=0D3BD3558EBE881F2716C5DD831E5D1D57AD0D70BB6FC71A2E833E74744739DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:05.786{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=722C3419B1BA9EBAF478B74F9661C89C,SHA256=6F9CB05CD751BA1414FCB1FA2B1D7FF4245472B71D7B92E4035424BD493999CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:05.786{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=82BAD9730F7E148C4678544D8BB69AD5,SHA256=793A9AC6A375CC5D29EFB85346B7307069BDAF15717BF410974075669CD94792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:05.786{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=DB70EF9121DDE813DEBBC136ABAAD552,SHA256=DBD07A1653525CCF5023477EDA046044CE6FD01E7FEEE23933074A93C7CD7E31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:05.786{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=54D28A3879ABC363FEB4851F91AAB0D9,SHA256=F55EF0760E8AADC3005732DE6B61B74DB8014068F6E42BB37EAB6F68A1F04C9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:05.786{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=52C4916B7ACBD5F1D7657E90ADD16B0F,SHA256=640E05F2A1FC6075EB3F87E36B8C04B7A5BFD67B5566E5877681227FEC33734A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:02.899{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65426-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001044694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:02.473{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com49916-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:05.470{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D528ED790E2E006ED8F88D9E4FC73C,SHA256=83CA38E92EEECFCB4047FF05399CBB4A695E41FC689E1632A592273D76962EF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:05.269{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51AB74192FBEF2B0D779EA19237EAA26,SHA256=8DC66AF808080D0254CA7508570CAE279BE3F33C121CAFE21CEF49EBD4F128FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:06.485{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA209A04DDD65526B984F5586E28A34,SHA256=5C3EB71BEBED22524B14308FB933DBDB6200D4AED8E9D4883C77AEDA68B2E037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:06.285{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84492602201B3D2B597A9A9A9F359349,SHA256=1C3A202C3F4BD933ACBA544D6C8C95727A1A386B7DFF2C1AEBFAD77480FAF3D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:07.301{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C33709FE01224416906DE4D8C69EFB85,SHA256=BCDC67BFA706F9D1F6EA592361C661794D17ABAF88DFA0A22F6099769908B7E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:03.966{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-47626-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000973703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:03.847{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59115-false10.0.1.12-8000- 23542300x80000000000000001044705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:07.568{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1582B72EA18ACA66478F5434C4007765,SHA256=A855BA201245E9B664CC86E3B90BF3E904CE613303EACC5B6135005A1E41A53E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:07.453{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:08.583{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CC28B2A04888B79CD1B6806BEB8CB94,SHA256=C94B1894746875F680C881A8B477298EC001F29011AE9B4743B208EA2C565727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:08.301{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC27CF42D1FABBA9DC6C7DF73067E827,SHA256=D5DAA81892A9F4D29FA895A4FA16C0062FAC8DC4A5043437CF073DE2D92339BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:09.719{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A66ED1EA94C9852062C2CC06FC7EF0FC,SHA256=DD5EB561430CDAB58CF2BEF3D0B1C0C78006086F7EABB69F519703AAB090D667,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:07.928{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65427-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000973709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:09.316{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B8AE6C134873EBC45B29FDA6EAA6D0F,SHA256=C89A6BA0DD203D08480414D194F2F66EBB6314802C70CDD2326C10DE5235CFE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:09.316{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE64391CCD45A410E667CD31AF5490E4,SHA256=752DA9BD2EC55624AD58B51037DB4A49FD35DC8304D2D27D7DF02BA5EA095CBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:09.316{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E558ABF97E1A327AFF65EF111550BDC2,SHA256=858CC6960F574FED8324460B617104E469C9DA0B81A5DB254A1C6345C6B09284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:09.635{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5561DC4A26054010AA44B43A6D8E46DF,SHA256=E5EC483A3C18EA577B56620B19632EFA624CAA16C20A4A19F645B759FAAA1DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:09.635{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACD25474C3711B677BE3E13D6D3965D5,SHA256=2F844729066735B1637F292989EA9592C784DAA89DE8BEB1FC08D3F06765E327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:10.803{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=90E30565C4DA7708CBAC96F812C18EEF,SHA256=6E087205405912D0AD1EB219B28754B856E39CCAA34337760F441085F80983DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:10.803{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=5BA6A4DA38B665CAE96980C2A4E2FDC9,SHA256=82379BE3DE4AE1B50F376E3552222A1260311C9D40A9BC590783A6740DD0623F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:10.802{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=659D78B7237BBF24D836D3C6CBECE187,SHA256=5402EDAFAD4B79D6E124AE58E2155932157C6599E018AE4EF255EFE154A2E9AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:10.801{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=D86D68206C9AE507212B23F6303D8826,SHA256=314F832AC3FB630C44C7BFD5E49246BEAA3F4FA5BDF2E45853F695F0A0572CA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:10.799{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=5D3B4A1CD7D6D8A701AD854265F890A2,SHA256=768D39AC48ABE542F1767ED4E7A5453185B0D1F0D5002621A49E4832B5521BA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:10.798{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=B603CC0DE9FC22B51BD4B073BC93B485,SHA256=79B4BC14EA5420B1EEAEFFC212DD4FDA6BD1B910E2179DDFE5AAF4E38E3B9D18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:10.782{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F966453CB787E1090D7549D78591443A,SHA256=D16F1651B6A4B6F903F35671C48749903AA21A7583EB98CA2D83C9A8ABA12809,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:10.816{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B8AE6C134873EBC45B29FDA6EAA6D0F,SHA256=C89A6BA0DD203D08480414D194F2F66EBB6314802C70CDD2326C10DE5235CFE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:10.316{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9721B9F8B29A8EFA15AB4ABA5E30C906,SHA256=E3545A58060010F57A51725686E14A9880AA1F644F161569772B165D2C81D807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:10.750{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5561DC4A26054010AA44B43A6D8E46DF,SHA256=E5EC483A3C18EA577B56620B19632EFA624CAA16C20A4A19F645B759FAAA1DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:11.799{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E8BE73E983A3D27000015C4A4CDEE0C,SHA256=A2ACA6F75BA39DB15549005E2D01BA088073862EE9C4129C2B7231BD6BAB9374,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:09.189{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61364-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001044719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:09.113{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61331-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000973714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:08.403{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51762-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000973713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:08.146{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-21078-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:11.332{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=064F5AC2A825E5BCC8202CBE0463A813,SHA256=7A43ED9E685BA90C795CC6BBCE322B4EF7B309E60D431A24FD70361A483A272B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:12.817{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16AFA3B40C7336B10B95913DA9F34F96,SHA256=E50FD6A9187EB16F67E37409BC6120750CC427FCEB9A88B9C6B418B3ADD7D8ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:12.347{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=787372BBB9B5DF89348949B22065EABB,SHA256=390B002F30CDD06143BBFF5B80C38B2E767C8653E1D0AB43448B149CAA51A270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:12.066{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE19C9D088EC89DBB13AFCD64E0FE5BC,SHA256=5A7D551B5C78458D670A1EC8F193A687A382216FAC359EFEBDE822A3A361A5BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:13.818{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BADC3EDE0F33F9446342BAC4488047F,SHA256=9D22A31B290C63EF580B43E9CD8002DD04F91F9F5CB6E9013EB0757A00E2DAB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:09.801{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59116-false10.0.1.12-8000- 354300x8000000000000000973719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:09.673{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-29753-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:13.363{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE696D0AFEC0AEC185D84EEDE6886D89,SHA256=1806D21CD3B8CE543A28C27546FF7B2557F175034D01E6FE2DB3945CCF830BB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:13.191{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:14.832{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD9F9D316B48A0F3C5D013600FC2AA8,SHA256=6BF6C558E90342C33FCF342E821516D47BB10604BA5C3B31C86C5559D66B3E0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:14.629{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A58FEFAE1D4684F0D3BF16EF8121E8A8,SHA256=365625F4F956B27FC8F7EE25361BB1E4E48DAB5FC358FE4A8E6D89FE1F5E1422,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:11.816{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59117-false10.0.1.12-8089- 354300x8000000000000000973723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:11.780{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-41037-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000973722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:11.238{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:e060:eede:318:987awin-host-542.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x8000000000000000973721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:14.379{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=834E028B1223EC18D3F3F9A910B2A3CF,SHA256=3436A68DEB977C2485B1F226A5715C058B1C719010AA660AD3D0DF6DE8BA9386,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:14.664{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:15.921{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=124AFC77CCAA46FE18CDBE15D9CE7799,SHA256=4F32326C4E0A9A2EA4121C9BC40C1BA7A7F36B10B4F9AB2AB5ACA90C22CBE3BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:15.394{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1A244A41B511376D2F23C049E6CC521,SHA256=D4CE853A9F1452AF5712C186142782D582D0A7E2C945FB40BC0A52F6ABE0E786,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:13.791{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65428-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001044727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:13.567{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54317-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:15.583{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B22DE4BDD8A3EE7C047BF1D930B6415,SHA256=E77D88B00B66F3E6D86221A883CCB780BF6464B58658861D0C602A14001F6BCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:16.921{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEAF98F0348EC0299848EEE46DA10A1E,SHA256=ED6CE1989D63A6A1E977C6A5F25B82540DD27236087A3959CE45F5E8F3F34ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:16.410{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2601EC1E2DC2A2EFBAADEB8A892C861D,SHA256=8B2826534788275BCE9219E07B0F810710AD1AF41222FB38FFE1B98095405F97,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:14.695{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse119.167.194.165-56933-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001044731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:14.433{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54914-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001044730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:14.320{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54794-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:17.922{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C23BE288F3387D588F0135F6BE0783A,SHA256=8AA265A806D158B025950AB51769EEF54E7CD1DFABD610D0622BD39D37A53A3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:14.787{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-51744-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:17.425{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64FC3186169975808366B15724FD0486,SHA256=867C8E39D9757560DDA91DBCE050E738AE1E5B7D4DA02BDA0D95967D35890E64,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:15.791{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65429-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001044735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:15.791{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65429-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001044734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:17.084{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7891C6EAFDBFD2F5694FAE44D50E1C4,SHA256=E85BEA188AEED4368C8678CEB2A70E30646912433762EC3A0D65A808B7F62C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:18.922{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E310635F30706863768BF968E910521D,SHA256=AF08E62E56553A633D58D42DE3D6D47955E313A515DDF9DDEE15140A91F1A44D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:15.738{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59118-false10.0.1.12-8000- 354300x8000000000000000973733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:15.647{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50939-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000973732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:15.633{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50915-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:18.441{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=627A11784E08E498FEBF0000224161CE,SHA256=F99B7E32C398D467407FD2800EA028C98469D11674D1C409142AF633523DA798,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:16.333{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse8.46.162.250-56177-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:18.354{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05B05E20A43317ED01BEE44E465C284D,SHA256=36CFFB9F27A8710128EFB43FA523B0CAD664DD2622E0C8B36064CF626B50E987,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:18.347{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3123D04BEAC96B255F2873C0C2B1A94,SHA256=22DC73AA80DD83C4F1755C3F7392E978907B782DB9CDD28BA3BA1F547FD2060A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:19.457{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FB7E7D6919F21F02C8E89DF689D0B84,SHA256=78E978A5CE2FB3168A6BB14EF77CB2A80DA8789496D06EB462390545D033D2C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:20.472{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=194694DD8E1B07E7634B2CC85EC6D04D,SHA256=C35D0717783027F6462C7546BF7FBF52FE564702DE774B7323F337F174FEDC52,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:18.895{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65430-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001044741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:20.003{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F035DE8966D6D5DACAC99D4262773E26,SHA256=288CE5A028F264F0FAAA6203387B2CC8EE5DB01607CB9E10FAD5DF977E891685,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:20.191{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60CAB3A3936045F5FB3F96A3D64AA580,SHA256=7B6B21F387BFFD4A1FDD33F7782EF33DE894BA5F75FD56009654017149C6A816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:21.488{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=461458195C53AAF8DF6CA66AA2A33995,SHA256=EAD478C85F9524FFD17990E5F24F9BC39D68B0F935400F02009C92EBC702BFFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:21.020{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02FBEF2B7B3109A6D1C1B644D9D518CF,SHA256=F678FA8A01C46EC620F6A1C38EC949312DD6FF10E3D95EA3EA9499FF7288A5E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:22.490{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DCFAF9F82AD5842F4E301FF6EDC7DAA,SHA256=317097A1384E72468163CEF85C38AF6587ACD472294808C90CCEDE4A8E427E1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:22.950{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A26E807CC0475825B375FBFEDC22A884,SHA256=7007A2612860B61B3492310068C8D2809FBFFA7E89A19D61BE9F8E9C2D1AF47D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:22.044{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40EFFE46E69B7018A18B238569F1BA4C,SHA256=86E6854EB514B9E6C1D33ADAB9D7C81C7EF3129D930E6614695D2D9C3871D4E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:21.309{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59743-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000973741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:20.499{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-25709-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:23.505{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC1806414EE900086A46C5C6ABEF080A,SHA256=B3C88CAE5684DF59E52B15E00B20395981EB058D0CA0362CA66F9760150D9712,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:23.081{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CBC701D9DF886A9285DEE4337DF0DB3,SHA256=6DE97246735802795248D30343EDE34DF8C0D4DD8EBB8D1A4C36AB8E51A24652,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:22.222{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60318-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000973745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:21.755{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59119-false10.0.1.12-8000- 23542300x8000000000000000973744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:24.521{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBFFE98C3088768EBD019FC4F8CB1C15,SHA256=4D1EE2788C5F94FC7F0A4FF9A4B1154B495B644A08C985CF3F045C59B68BC5A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:24.098{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B4775DF337F550428F9E2E8A90D8CFB,SHA256=A17EFF966BAFF0A338CF788F600A1F3C731FF1A91EB9B56AA5F3D19A253BFEF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:24.334{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35EE7E78971304F0DE6D3662DC70DDD1,SHA256=2DA81D560FC7DDD4814EA3BFF4549D00670E4C9FC3C6DF09F660EBD75F3F9322,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:25.834{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFE124709582CF4E056C1F07B78295A3,SHA256=BA341B55D22858719382BD27281020B53F20510FD43EDDD1755FEC70CBA55195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:25.537{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C576AE80385A4F958DA073A546E3CA2E,SHA256=FA401D8F2C2B50722422C39979E18E915CF97BAA73124D094F637E9D14CF2D8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:25.117{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32D3109DE77DD6B9D44878D05638429F,SHA256=E9C4A0D00A3DFCED6319A57461CC054DA64392DA0978A74144E10CA8D661D0C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000973776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:26.896{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8596-6151-2779-00000000FD01}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:26.896{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:26.896{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:26.896{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:26.896{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:26.896{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:26.896{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:26.896{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:26.896{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:26.896{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:26.896{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8596-6151-2779-00000000FD01}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:26.896{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8596-6151-2779-00000000FD01}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:26.881{69CF5F33-8596-6151-2779-00000000FD01}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:26.552{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C05A609D40DF4B93D2F8F6F3841F7CA9,SHA256=25FB8FA2A9C39C7838C70D664CC207B9E9BC9C0A903BB965385E5FE1691DC4C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:24.756{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65431-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001044749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:26.132{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E0567AFF1B0A9FB620095450D25F6CD,SHA256=F8C2717D94F476B2D8FBBB3822563BB97D69AF9747FD26485DBFDC58A6E52C6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000973762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:26.443{69CF5F33-8596-6151-2679-00000000FD01}18961720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:26.224{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8596-6151-2679-00000000FD01}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:26.209{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:26.209{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:26.209{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:26.209{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:26.209{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:26.209{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:26.209{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:26.209{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:26.209{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8596-6151-2679-00000000FD01}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:26.209{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:26.209{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8596-6151-2679-00000000FD01}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:26.194{69CF5F33-8596-6151-2679-00000000FD01}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000973792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:27.584{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8597-6151-2879-00000000FD01}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:27.584{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:27.584{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:27.584{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:27.584{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:27.584{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:27.584{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:27.584{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:27.584{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:27.584{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:27.584{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8597-6151-2879-00000000FD01}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:27.584{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8597-6151-2879-00000000FD01}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:27.569{69CF5F33-8597-6151-2879-00000000FD01}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:27.553{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7213A3A3DC5EACBD6D6488A87299075,SHA256=88F1509A82EC80CBCF472EF45EE7DF03A0689C1F67704B46A242B8CE59714C9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:27.798{5EBD8912-79C0-6151-E577-00000000FC01}42961332C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:27.797{5EBD8912-79C0-6151-E577-00000000FC01}42961332C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:27.797{5EBD8912-79C0-6151-E577-00000000FC01}42961332C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:27.781{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:27.781{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:27.781{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:27.781{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:27.146{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69DCE68B3F7CC5A5B8D1538E927705ED,SHA256=7FA25E16082284F67FFFFB8736149237FDF76864F2C4A95C039C9D31E8707570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:27.209{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=400DAFED503237960BBD1BE1E869BAC9,SHA256=B57803E1064C8BBC8207B1A205025EF5B6F63C71B28296FC57869288957D45E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000973777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:27.099{69CF5F33-8596-6151-2779-00000000FD01}15201372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:28.959{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8598-6151-2A79-00000000FD01}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:28.959{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:28.959{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:28.959{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:28.959{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:28.959{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:28.959{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:28.959{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:28.959{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:28.959{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:28.959{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8598-6151-2A79-00000000FD01}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:28.959{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8598-6151-2A79-00000000FD01}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:28.944{69CF5F33-8598-6151-2A79-00000000FD01}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:28.755{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D921EA02049615850B12F2B47738DC2,SHA256=9905C35BAE0A82075276F04F734FAE132D58A71B8F7399AB68EC22DC92C4531F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:28.930{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B2D8CB0AD3EBF697D37EC94AEAD026A,SHA256=B9AB94DFA01540444611BA7666EF064354E545921F18CB9E11B7F9C607177C82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:28.930{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AC341984B545DCB95F78947CC8CDAA4,SHA256=DD5136671F2F76CC9D4A2455FBEF2333A25ACE92F998E837C2C3FCBB102D73D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:28.162{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5567CC095D41C50E4DC61A47C2730FF,SHA256=64F22340BD8AADB51960C0CF279F3974B8F34ECAC8BD013033FDB86B8FDA6CFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000973808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:28.474{69CF5F33-8598-6151-2979-00000000FD01}1976516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000973807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:24.892{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62005-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000973806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:28.271{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8598-6151-2979-00000000FD01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:28.271{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:28.271{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:28.271{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:28.271{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:28.271{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:28.271{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:28.271{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:28.271{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:28.271{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:28.271{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8598-6151-2979-00000000FD01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:28.271{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8598-6151-2979-00000000FD01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:28.256{69CF5F33-8598-6151-2979-00000000FD01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:28.255{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5ED2A91880EC126104BA6DB6A10CC675,SHA256=CBCC04FF3455DD3B6282A4F9FFE8BDB67A07ABCDF86BB10B6DAB4BCF61C3FEBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000973839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:29.913{69CF5F33-8599-6151-2B79-00000000FD01}7563888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:29.663{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8599-6151-2B79-00000000FD01}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:29.663{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:29.663{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:29.663{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:29.663{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:29.663{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:29.663{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:29.663{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:29.663{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:29.663{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:29.663{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8599-6151-2B79-00000000FD01}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:29.663{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8599-6151-2B79-00000000FD01}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:29.632{69CF5F33-8599-6151-2B79-00000000FD01}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000973825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:26.258{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-57605-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000973824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:26.014{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-58247-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:29.255{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81A7F2BB76950481E70CCB893D45DF12,SHA256=AAF7B7D071A22B6F559D3D479A73F1634A016DFE38DF267CB12807F4FC6365A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:29.195{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=698ABF497CC8F880A2760B42381B9C6D,SHA256=1086B384C28EE45176591E7077B9ADC50B9C430FA9C56AD85B13E93A853C6427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:30.213{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1179563D9D03662C37E7FE87C1D163DE,SHA256=FBFA4B300147BD3EB8E23C95F5FF188CAACE143DC44E82515F870CACBFA1A85B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:30.859{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEF00AD69D5B8571A175B64962DB2797,SHA256=DC00F19E06363CDC2758F47FB5BEC028747307507D13B7218A0823AFAC37DF96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:30.515{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0288F1211D3BDC9186B48B35584DDA,SHA256=FB1CA25C76B1C288B9950311C6726D4A67D25BEEB943915EF7374A8273AEDE01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:30.040{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4286MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:27.146{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62701-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:31.244{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C68E81D2F32574F25C39FEA67F1A17A4,SHA256=251DB0A72541C2622DA4805C46C8D7B2B5B803EA2088026D5F74BB6C6830527C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:27.740{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59120-false10.0.1.12-8000- 23542300x8000000000000000973844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:31.049{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282296C6BB2D92C1DB14670C316FAD0F,SHA256=3E0A49238D86C1333EB627C906F5C721E046CFFD9A86E10C5F38AB52776E0268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:31.048{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4287MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:32.542{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B2D8CB0AD3EBF697D37EC94AEAD026A,SHA256=B9AB94DFA01540444611BA7666EF064354E545921F18CB9E11B7F9C607177C82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:32.258{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98CB6AA0819AAFF58EA93DE548135B8C,SHA256=DCF63BF869B9E26B22DEC7E3047923873FD2B82B2125F8D8C9FA87B38B886D96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:32.379{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DCC877EF7EDF329718C8864ECA68B739,SHA256=CA3E0CEB052E80E2AFC0CDE08DE6C1FF4AB498129E6D3814B75A461AA1DF0503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:32.160{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60782F6D43DE40FD2EF5085611FAD8D8,SHA256=4599C041C370F8D640455216385C3FF53A09059AD910E2203B1E77D8192D7A38,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:29.887{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65432-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000973850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:30.356{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-32623-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:33.395{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E53CF7098097D0C2A0363326104B922A,SHA256=2F3C787A4CE287C06F42586B6FAE90EFED8FD5443469F7575C4A93BF418E0084,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:33.273{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978E9F89422F5224CEA05859DAD152BC,SHA256=E3435BF0FD2F5A6C2098016C153664D92800C207D7A1D591DED526430F682FB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:30.933{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62931-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000973848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:33.113{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=153EB08BC02116CCB668F06F33430EE3,SHA256=1CCFC37FA917E8CA9AF1319D6F1F60E41ED5F56F8267C99A2E6C7A6440EC2AAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:34.629{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9290CD10579C62F83B7FEF64355BB7F0,SHA256=31DEBA9C941CB6AAEF17B4674D213257F44AD847E69FAE9A56099C21934EAB1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:34.309{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58FA602753B630DFACD25D99E07ABD21,SHA256=EDEF74730E89C0839617B79AD5B6F117F05C63CB9EA68D5EF1A5D0B716ED114E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:35.863{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=103B4837A5A24C7E3DE0A155FA1039A9,SHA256=A486944E79184B12C49CFF1AE08D0946B2720B4CEF1FA2B2D26FB38AFCF45428,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:35.325{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C30B5D26581BAB4376AB654AD10A67F,SHA256=6F4F7CB1F2C54CFDAF36C73F5FDF86F68752732AF8CAA88A0315D0DDB79A1A9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:36.389{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B283E7A498392484D8936C144BD467C0,SHA256=02EFF029EBDA08F32FC56F49831F20F75825D253859B2CAFAA3C8DF8BACA6DA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:36.339{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A32550B8860506B74D9A97E80EA9AB8,SHA256=1AD8EA4694C83B7EFAA0BAC3B71A0D59CFA47953825392804933ED8ACC897FC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:33.676{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59121-false10.0.1.12-8000- 354300x8000000000000000973853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:33.301{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-41852-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001044773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:36.123{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:34.651{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51101-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:37.354{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D23615FA4A57CD1F4CB5CD4DBDFB076,SHA256=BD11C0562121900BE051ACE42F34ACC8C173002F59DFC3C5BB97F4AF12E511D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:34.499{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51745-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:37.191{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=995461A9B7F29745477DD3D5D5B3E8B0,SHA256=66230EB316F42BCE888B5E2C85DBDBCE7980EE4116A4EE46B1F37EDFF2707AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:37.097{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A0814784E381722578F012186313990,SHA256=A096994E4346B23EC3F56D7CDBF181B2BA9F25081DE4386C6074EBB5A061BE72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:38.837{5EBD8912-79C0-6151-E577-00000000FC01}42961332C:\Windows\Explorer.EXE{5EBD8912-7A84-6151-1A78-00000000FC01}6604C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:38.837{5EBD8912-79C0-6151-E577-00000000FC01}42961332C:\Windows\Explorer.EXE{5EBD8912-7A84-6151-1A78-00000000FC01}6604C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:38.837{5EBD8912-79C0-6151-E577-00000000FC01}42961332C:\Windows\Explorer.EXE{5EBD8912-7A84-6151-1A78-00000000FC01}6604C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:38.837{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7A84-6151-1A78-00000000FC01}6604C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:38.837{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7A84-6151-1A78-00000000FC01}6604C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:38.837{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7A84-6151-1A78-00000000FC01}6604C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:38.837{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7A84-6151-1A78-00000000FC01}6604C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001044780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:35.800{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65433-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001044779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:35.799{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65434-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001044778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:38.368{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=338BCEB7392DB66E8B535900C82F6DB7,SHA256=8661DC6304A938BFEA1D8CBFB90D5F8C0A43366D7E190424D6AF9D1FF9950B1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:38.738{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B7133721953197D2A0B218A8DA5C778,SHA256=51450E9C66C757E66FB2F79BC054816F9242F310607DD0404A2F87A228146ED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:38.222{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B0FE40CD41AADD2903CE876688A9CC2,SHA256=C8D7A7463C838B6F6EC18006B11AA534C1AC41D2167D154117303B5874F88E01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000973870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:38.191{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-85A2-6151-2C79-00000000FD01}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:38.191{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:38.191{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:38.191{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:38.191{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:38.191{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:38.191{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:38.191{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:38.191{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:38.191{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:38.191{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-85A2-6151-2C79-00000000FD01}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:38.191{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-85A2-6151-2C79-00000000FD01}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:38.176{69CF5F33-85A2-6151-2C79-00000000FD01}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:39.379{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70CB6B91AB055B9A2CDAB489FE224860,SHA256=555CAE72189D31D4E859E91104F534F3FF262004C25D2F81858E5DAF10D9423E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:39.368{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D08F5A31B1CC528CCB57E83062F53F8,SHA256=48CDE44DD1F210B3F76B163732E5D5EA63D3C8E1F3D5CED8519FA5E2B3EDD5C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:39.069{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F17DCC8B978AFFD6B3479F1B50ACF52D,SHA256=5EC856F62C0CDEDC44B391F9C2D0200CF36D2CA82CEDCA77C822B5D36D7093D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:37.546{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-15614-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000973876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:37.297{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-53145-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:40.394{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEF581F24C2C9ED51CB655D87B97C63F,SHA256=AAE2EC2D5C62EA246F0DD785B82B371F2986021799080120A0E495C10D345514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:40.386{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2104457EBC75CA7DDC22B25985D9712,SHA256=4DE6FF505716A28DE2E51AE6ED0035F789B6247B643C13ACF297B5D549DD014B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:40.019{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56E5C90B79398716B4317C0FB8B91C72,SHA256=A466564AC428FC43206C27BBE35AC43F31B2D7AFF6B83398793C761D9301CEB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:38.691{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59122-false10.0.1.12-8000- 23542300x8000000000000000973878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:41.629{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EBEE25523665785948CBF21789A7119,SHA256=685B1FC7C5F63B91EAEF6F8ED34413500A202EC4FBD86C0289EB2E46E472F7AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:41.406{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8498896C1D491E9E5D20C6428170262E,SHA256=1419E21886E3A09D97A7CB5FDE00F6EC0F8BC1E06A5734CBB125CD0A4EC4BDF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:41.091{5EBD8912-79C0-6151-E577-00000000FC01}42961332C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:41.091{5EBD8912-79C0-6151-E577-00000000FC01}42961332C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:41.091{5EBD8912-79C0-6151-E577-00000000FC01}42961332C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:41.091{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:41.091{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:41.091{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:41.091{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000973880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:42.652{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A1763B6B48DD4836DE5B91A08CD2B7C,SHA256=7A545F6137E7735DFA9A4FAF52C49698FF9CB83887E3680ED8940DE217517B63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:42.768{5EBD8912-79C0-6151-E577-00000000FC01}42961332C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:42.768{5EBD8912-79C0-6151-E577-00000000FC01}42961332C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:42.768{5EBD8912-79C0-6151-E577-00000000FC01}42961332C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:42.768{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:42.768{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:42.768{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:42.768{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:42.437{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4B66A19DFECE4AB1455C82F6DFF50D8,SHA256=08AB63B731AB13B17DDBD784922E980E6D88C8DB1952D23931EC253ABD8FD7C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:40.419{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-24533-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:43.652{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE3F029D3198341262A80C573EFC6830,SHA256=277CCFF6520DA4C3FBA62C06A8351C303EB08C6F423875CFC65DF419597B9564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:43.452{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71041B630150E609D3EFACC40F0FA5BE,SHA256=17975BF0EBBAA21069BBC14D1757E1F95B24587660D8DB79C878C001085D12BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:40.945{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65435-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000973883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:44.668{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7F09EE7047E7CB6EBEF2F6629A52B2C,SHA256=ECDFA02BC15DBCCB393C8C8478A17685609CA6A615DC20C1C728EDBA937B198C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:44.905{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-85A8-6151-8479-00000000FC01}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:44.905{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:44.905{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:44.905{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:44.905{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:44.905{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-85A8-6151-8479-00000000FC01}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001044818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:44.905{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-85A8-6151-8479-00000000FC01}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001044817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:44.884{5EBD8912-85A8-6151-8479-00000000FC01}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001044816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:44.505{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A616CD8016BE3D795AD9D75602B7747,SHA256=BB52A20571E8B49CEA117D70174997B731C8D2685D0E7E4B05DBB771545DA13A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:44.089{5EBD8912-79C0-6151-E577-00000000FC01}42961332C:\Windows\Explorer.EXE{5EBD8912-7A84-6151-1A78-00000000FC01}6604C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:44.089{5EBD8912-79C0-6151-E577-00000000FC01}42961332C:\Windows\Explorer.EXE{5EBD8912-7A84-6151-1A78-00000000FC01}6604C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:44.089{5EBD8912-79C0-6151-E577-00000000FC01}42961332C:\Windows\Explorer.EXE{5EBD8912-7A84-6151-1A78-00000000FC01}6604C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:44.089{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7A84-6151-1A78-00000000FC01}6604C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:44.089{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7A84-6151-1A78-00000000FC01}6604C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:44.089{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7A84-6151-1A78-00000000FC01}6604C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:44.089{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7A84-6151-1A78-00000000FC01}6604C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000973887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:42.170{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56563-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:45.683{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=005F8368BBF4004CD88363BA8E1ACE48,SHA256=C3280BF892E938A99A9D94DF6368AAF4833320B6EBA05CC78312597729BCEE49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:45.889{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE42681A52CA70FF4F4F6F4353396E14,SHA256=2432DC9285E0ECBEB8BD22199A757066A186A603781EA61869F078D450FF61AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:45.887{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=059F78FD8BD7B6024F53B4DDA632AB0E,SHA256=F230FE650144AEE3DBA822CEEEF80EBA9F305952BB5366BAB13DC9A43C866AB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:45.769{5EBD8912-85A9-6151-8579-00000000FC01}64804120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:45.590{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-85A9-6151-8579-00000000FC01}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:45.590{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:45.590{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:45.590{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:45.590{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:45.590{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-85A9-6151-8579-00000000FC01}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001044827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:45.590{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-85A9-6151-8579-00000000FC01}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001044826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:45.569{5EBD8912-85A9-6151-8579-00000000FC01}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001044825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:45.506{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA817B885F5532878CD853F6A7AEEFF9,SHA256=A2B2CC0CFC60BF999A167FA05B228C374A248FD8C4C4719CE25D1CA90F4D00CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:45.215{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C034BA4D9BEEDDDD8F45395DB0719A1,SHA256=B851F4C38D1A097B263152EFF9E12933539D810775374593B71F8A48850300A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:45.215{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C731381EF14055B27C1F3D57F04A90C,SHA256=650F14C01E95A0B940A03C6413E87A299FA37367B5DFCD0534B84C197A2CE7E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:43.855{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59123-false10.0.1.12-8000- 23542300x8000000000000000973888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:46.699{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A4EC8F90880F93367500C70C16819F,SHA256=525AA1AAA0D11B34A28CB59E79DA59AFD329D9AF00EAE5CC74A4EEAB988CC4AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:46.522{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=088A44D3236FAC1D3A75DBCD6C3CE721,SHA256=09435DC214DEFC7C1820DD216461D1335DEFF3DAEE1FB10E036E11C72D0B3965,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:46.290{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-85AA-6151-8679-00000000FC01}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:46.287{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:46.287{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:46.287{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:46.286{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:46.286{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-85AA-6151-8679-00000000FC01}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001044838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:46.286{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-85AA-6151-8679-00000000FC01}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001044837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:46.270{5EBD8912-85AA-6151-8679-00000000FC01}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:47.715{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA70BEFEFE869B04983F7B24484325BE,SHA256=8DEE3CB00C1D21B617BF46D1E8EBE1BAC6FEBD5B2507C7683FAEC6838E78E3D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:47.554{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D0338C6D585AB29340DE97AC1073173,SHA256=4A2A52B5E514EB32BBC9B6BBFD2BFFC07F2DD4253D5D5E4B1760E2FD9F465B29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:47.289{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE42681A52CA70FF4F4F6F4353396E14,SHA256=2432DC9285E0ECBEB8BD22199A757066A186A603781EA61869F078D450FF61AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:48.569{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC197912908609410E5840DE1F0BF2B,SHA256=C9205D6B74A50CCB6C20D228D18D6EDDB735FBD03745AD9F639B7A94E15AE75E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:48.730{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E718282E7376311729CAA78EDE4DC7,SHA256=A85E0431AB0C53FB12A8836902CB358D188CD6BEA5511A74FA2209FD44B50B50,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:46.898{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65436-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000973894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:49.746{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71A014D82B17D83C3681593EB0FFD46D,SHA256=8E6558F592358E3F5AB3A422D8B84CFFC32AFF411139BB957F459E3E4DC071A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:49.653{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B75743C80FD612DDB420EC70FBEF836D,SHA256=33E91272F1F55B161BEC6FEDF0A8844BD5C31C1DBAD6755666A46AE33149E223,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:49.668{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C034BA4D9BEEDDDD8F45395DB0719A1,SHA256=B851F4C38D1A097B263152EFF9E12933539D810775374593B71F8A48850300A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:45.904{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-57201-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:50.762{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=344AA6AD2864115AA2A84CF102BCABA0,SHA256=FBB3EF48B21C55158D499856BE633803907061C01FA93310C21FCA6F1F01E67B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:50.668{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DD995CCAF73BEB996F4B75ADC1A4082,SHA256=CCBB8B6DEEFB7916D3FB5A6A670CC900550A3A6CEA35E4C344C0700F27185F3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:47.078{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-54635-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001044853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:48.907{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61717-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001044852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:48.423{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61344-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:50.068{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49AF45ED4FD96D0C523700026AADF676,SHA256=B1B1F6BA7BDCFDD9099ACAFB992A00F2CC20B6D0BEFDBA58664263332255C3C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:51.777{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4461859E22F44A286ABD46392E0B466F,SHA256=26ED603326C75477407DDA05259719EE894B523F7C5C2DA4A29E90511A1EBA05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:51.706{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C88027C7FC9479FC7F0BA1087183C699,SHA256=00B0F8F71B30E65460BFAF1F91244B29C759479D7605A0FAE4F20DAC1DD684C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:51.183{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F5B847DECEA82DF6DF9D78F51091688,SHA256=FA2624B9D5C1FADC7CED0BC8859620CC2183A009C2E106C3B92A6DCE39EC76CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:52.855{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84B5E7DED1B6E0EB65EF234401C3DBA0,SHA256=2A57498B793B7B83E2FF755255D95FE58A067368D1C49DDEA1DB99C1734640DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:52.793{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C0BECEDD7377870BC0BAC46518FA9C,SHA256=8523696BF9C52F6F28DBEA4EC17F0FDB6C533C8BF86988DDCFD2A59EA1F25729,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:52.736{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97AE77B9CEFEEE1C8085BF429DB3720C,SHA256=80C428B9FA7FB152E0E839D0DDC0F1DE9EFB381A389093CB44C8EA40FE540BEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:53.808{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=589A937D8F376A4AFCEBADD97D180B01,SHA256=B42AEB997D0CA64A279878F881857622C6A322F10101E82C2FA819ED7B138B5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:53.751{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282DD3F95A7DF67ADF2EE254D4D92A9C,SHA256=0613DEE8AFDB92AE2DB495CFB9E85897EAABFA1943E48857FA3DA68CBC293A9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:50.080{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-29311-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000973901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:49.824{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59124-false10.0.1.12-8000- 10341000x80000000000000001044875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:54.804{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-85B2-6151-8879-00000000FC01}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:54.804{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:54.804{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:54.804{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:54.804{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:54.804{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-85B2-6151-8879-00000000FC01}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001044869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:54.804{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-85B2-6151-8879-00000000FC01}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001044868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:54.783{5EBD8912-85B2-6151-8879-00000000FC01}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001044867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:54.751{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E576F7CFD7290934FB0AD44596C697F4,SHA256=93DB769777F73FEC81EE73C770C8D441539591577F382A93B347B6E008321D6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:54.824{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72E17BB2F8B1EA23573935594369D48D,SHA256=608B789B1403C4D6917125A831509780362188A1D459E3C05F9039141F21CC1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:54.303{5EBD8912-85B2-6151-8779-00000000FC01}45004156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:54.119{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-85B2-6151-8779-00000000FC01}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:54.119{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-85B2-6151-8779-00000000FC01}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001044863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:54.119{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:54.119{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:54.119{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:54.119{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:54.119{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-85B2-6151-8779-00000000FC01}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001044858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:54.104{5EBD8912-85B2-6151-8779-00000000FC01}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:55.824{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=648F5AD7FAB8D0D487DBD79F8110EE5B,SHA256=C6A6EB783A4CE9B071C09B825014C2356C5ECB2C5F106B9B724A66F392D07B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:55.788{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7672E533B9B499799C8601CFF7B43C71,SHA256=8E8822E4770F4403ACAEAE49E265BDAEB11DC30FC412B7D703ACD890833AD47F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:52.796{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65437-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001044887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:55.688{5EBD8912-85B3-6151-8979-00000000FC01}60243024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:55.504{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-85B3-6151-8979-00000000FC01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:55.488{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:55.488{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:55.488{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:55.488{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:55.488{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-85B3-6151-8979-00000000FC01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001044880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:55.488{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-85B3-6151-8979-00000000FC01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001044879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:55.483{5EBD8912-85B3-6151-8979-00000000FC01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001044878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:55.120{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EEAFE4B8128580A4B87EEE885007E23,SHA256=3A5D5D2A32B05A69D5A42D8CFBA090776652811AA8C3DF0F274BD81FEDDDBF63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:55.120{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C63BA7BDE024FF0DACB6A3D54BE21DC,SHA256=28E83AF795C87B06488F55D13CCF4A37433AAC7BC6331B23725D6B2239F65A2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:55.020{5EBD8912-85B2-6151-8879-00000000FC01}19246456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:56.808{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1EB29FA59D62534070179A24027540C,SHA256=180BD477140AD9C6AB8005AFFB53F582205FC3B882EBDB42188DC9DF94101861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:56.840{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AF4A50D6D0E2CC7920C0F0BB79B2D0C,SHA256=4A96BEE6F1D45113968E93D2791561A52077D666E5522E31611C641B01EE7C20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000973907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:56.715{69CF5F33-7F27-614D-0B00-00000000FD01}624184C:\Windows\system32\lsass.exe{69CF5F33-7F0C-614D-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000973906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:52.931{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-38408-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001044898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:56.525{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EEAFE4B8128580A4B87EEE885007E23,SHA256=3A5D5D2A32B05A69D5A42D8CFBA090776652811AA8C3DF0F274BD81FEDDDBF63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:56.203{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:56.203{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:56.203{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-85B4-6151-8A79-00000000FC01}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:56.203{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:56.203{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:56.203{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-85B4-6151-8A79-00000000FC01}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001044891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:56.203{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-85B4-6151-8A79-00000000FC01}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001044890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:56.182{5EBD8912-85B4-6151-8A79-00000000FC01}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001044902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:57.840{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B06B622E0BDE345FF78230888B3BE8C,SHA256=CBF667B333046E0739EABECE4451FCB06981AFF823CE624E04E3914E30FD15D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:57.855{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF01E746DCAB0A304C08FBE2F552A845,SHA256=70B4F2CC702F710294E1295934C87C7981EE8B4AE8E0A3931632229299585AD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:57.740{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B949707859A6C85B734C175B9AD9B106,SHA256=894FAD16041287AD54D606F95E61C29A1575B8206D118E4FC5A3F67205B7788B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:57.555{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000973909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:57.527{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9EAA7FB2A3C12876C01D50D249F0FEF,SHA256=70444627180DA7DD6CE385B61E54BC7ACA75BBA792AB59129D356D2B7891CC57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:58.854{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97FC733907CF6902191B3305BAAA9574,SHA256=CD7D22EAA0B117C6E9265D760D8BD8169A2D418968828952D0C45BE32798DB6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:58.871{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4981995FC3BDAC199C88D196A0B266F8,SHA256=6831B69BFA79682DD1746F92420AA11A88275C99BA34639F409CB42F44EE8CAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:56.418{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-59125-false10.0.1.14win-dc-429.attackrange.local445microsoft-ds 23542300x80000000000000001044903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:58.505{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4286MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:55.761{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59126-false10.0.1.12-8000- 354300x8000000000000000973913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:55.359{69CF5F33-7F0C-614D-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59125-false10.0.1.14-445microsoft-ds 354300x8000000000000000973912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:55.293{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-51338-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000973911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:54.787{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50749-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:59.871{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F5EB2075DEFDEAFCAC90B6FBD181F60,SHA256=6EED8588796EA68BA8C33BDA77354810B0D4A95DE47BFD9726F079727DB9C624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:59.906{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE3483FB891CEA7DE6ADE65576EB3A62,SHA256=14E9F18FEB7C897CA380D0E1989816CED9D5E5C66EA99E9AF265BC801013EFC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:57.915{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65438-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001044909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:57.631{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49374-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001044908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:56.525{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64980-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:59.503{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4287MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:59.223{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFB28C0A7E5E6D37DE1F4642B3EA986C,SHA256=36F52B0F285D70893849F060386C28AA1719CF585334B3647E95598BB3F0AEA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:00.923{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=762927B59D607A26C532DEB38D29DE91,SHA256=B2A4B1F4531BA3AC28F4CCBD337998D9C6E8EB97DB6DA53960340AD39BF7AD77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:00.887{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E177059E63B3F3E8DDEC1C4E0CF9858,SHA256=8B7FE9B939C6E22A765956EAC3E40A5A6BD7E16B2CB06C045D4BF0D2BB7C44C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:49:58.631{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50005-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:00.285{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC9AAB1CC013B911DBEE67940EB9128C,SHA256=5649903412F4B1A940A8DB456977E2A2E21D79FBEE9FA5F1429B8EDA53F8CFE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:01.953{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC1F0E632010C143E940EC8E29ED0BBF,SHA256=35D3377A7C81127775FC467E86298292C79706A21987767FC69A285AB61B852E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:01.887{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=774CE82BEC27AB1D450F1935AE2F0098,SHA256=0D563BE9759B78F1B0EA6900FB4D5B97E98F60590D360310B6557848DE6AED7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:02.968{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC8C49EFDA18E3AD002024CF45B09FB,SHA256=62F6986D4B33D05610DBDC894EE98CA4501496C2D41F634FFB5DB3C3D0A53955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:02.887{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C697EE2EBD973E3D56D2F06443FB0C5,SHA256=142986CD0E1BCD6D7092A663177325B61DADAF490AAAA71D52CF86868C1A3A39,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:49:58.139{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-9621-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001044917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:03.983{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C5D4D86152570DC2C97AA0591FF595,SHA256=B81743A26675FE778D2B55002077461214493AC59834BB5A2C03B37EEBC125F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:03.903{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A33573134DAEF12C60E8DD011EC0E32B,SHA256=7D59FA08FDDC1043BC51D636885973C9DAF137FB9439CB597F48C580025365E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:03.325{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7131415AE50805BE6C62FB9255BD15E4,SHA256=078607D99C51C201F3209087053E6DAA46DB79A351BBBA349E24BBF77D420D89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:03.325{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E36C2DCB9D6BD5023D038E58D614FFD,SHA256=D45574A8DF1053D561D0017DD4FBE255F313738FF0F0991E10D860571F8A8720,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:04.919{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B8FFE08504C57790BCA4287DF468D6,SHA256=E18293D868D88E862EA6F8827153A28CEC9FAD3F433F14126E635C3511E3DACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:05.919{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E9F7AD80C00717CF3B819DDEFDA60D,SHA256=32D6D50C9ADD81C2FD014DC239FA7D60B1842344DFCA97CAB5524D385A923F86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:01.747{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59127-false10.0.1.12-8000- 354300x80000000000000001044922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:03.813{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65439-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001044921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:03.111{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de63093-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:05.667{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52E8A1CB4D649A608A0C3E724949FD77,SHA256=9B4886A24699411BB406D77E89F076C156372F87417C1DEE1978A10061C0279D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:05.667{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B607F1EB48B6F75B07FE45D211C578D,SHA256=09CB22CF69907E425C743421E673D7C7710EF316F38DDE753028961877F93E65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:05.001{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D888B80491CBEAA6986B81987BB73779,SHA256=0FA61C22F486D2AC55EDAE017F15D81DABFF460E110DB92346691D2472565024,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:03.200{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-40115-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:06.934{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A471DAD8EF72AD408D3A9ABE8E2FB8F8,SHA256=8F837CC03F140B8FFAE02C9ADBEE2DAD7C505B1629A168F0E5E219F8879BC3F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:06.020{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8F02E168A0378317B8A1A3635641E2C,SHA256=478D1051B800449B07B38D29180BB7AC52B07416CC082DED34DB22267A33979E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:07.950{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D73E082F97FC8ACCA054CF7D75C3B304,SHA256=1CD6025589405CBF3B8DB1E8F2A12F2F2ADBFDADD46D0110D9EFEC328A502FA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:07.950{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7131415AE50805BE6C62FB9255BD15E4,SHA256=078607D99C51C201F3209087053E6DAA46DB79A351BBBA349E24BBF77D420D89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:07.670{5EBD8912-79C0-6151-E577-00000000FC01}4296836C:\Windows\Explorer.EXE{5EBD8912-7A84-6151-1A78-00000000FC01}6604C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:07.670{5EBD8912-79C0-6151-E577-00000000FC01}4296836C:\Windows\Explorer.EXE{5EBD8912-7A84-6151-1A78-00000000FC01}6604C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:07.670{5EBD8912-79C0-6151-E577-00000000FC01}4296836C:\Windows\Explorer.EXE{5EBD8912-7A84-6151-1A78-00000000FC01}6604C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:07.023{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC5A6ED52546257DFE012244D0F9AA3F,SHA256=567C8329AF1C3716A05886208AE85D78F8FC3A1F3439501DB69A8D4F215C86A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000973931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:07.669{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:07.669{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:07.669{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000973934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:08.950{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B40B1E6A3D376F25BE69A9B9C2AF8A16,SHA256=363F84094AC6500354774ED1390DF1F07CB9A3506EE167BBF08127C0D2601401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:08.523{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52E8A1CB4D649A608A0C3E724949FD77,SHA256=9B4886A24699411BB406D77E89F076C156372F87417C1DEE1978A10061C0279D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:08.024{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6683E69F9FD0593F7808766B68C71AD0,SHA256=DADA4CBBEEED8AB924E56DF4B8D6888E884CD11599E15DF3BE6539CE258D4BAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:09.966{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ABBB53FF66FC83401B515FFC0948A90,SHA256=6DE746CAFCF537807BA0E94ADE132243D225E10EF93AA4592CE5E4AFA28C48C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:05.078{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54655-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:09.169{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=501FEB49602AA736318A5D56F1ADCBD0,SHA256=609A70E480C206CFCDB8927B0707E8581F83D1D0C3FD6313685C7E374A5E1FC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:09.039{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F186683A5188F67F48B797AD6DB9D79,SHA256=250B6377BB156A7BB6C20949D7278DDD4B63ACCE47B049DE403CA620B5CEEC82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:10.981{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4381E4C9D902B4FD505C1CF41A94156E,SHA256=8AA7B0CBC021E3FD0E8A221190AB62798F02E6FF822056A5B37819BA926B3BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:10.085{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=456ABD4251977032151ACD19E1DA6F04,SHA256=DAAFC6506D51F7CF29C2F577F5A2B3745753DFC7FCB7AC74D736DE055C052BAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:10.700{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B9C4905BA78DFBC78B59AD23B1C0346,SHA256=918ADBF1EA9B43254206A363D3609BD3E937EB1A504DB0F9BB8B9EC339C613E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:06.825{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59128-false10.0.1.12-8000- 354300x8000000000000000973939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:06.719{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55741-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000973938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:06.427{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55487-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000973943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:07.288{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-10388-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001044933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:09.730{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65440-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001044932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:11.102{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D9ED5F1A454A38407FA50A67EDEBBCC,SHA256=4FC2463160A6DA509A3304AA7119C72653D03353564E70C329C1AC4F8CB61D5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:11.997{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EDD5E47CD0A4F680C66B7D0BDBB68DE,SHA256=5770EA589F6D4D3E71A981CD3AEBC5CE6415A50B2CF972EAD95D213F32D66AE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:12.137{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A7FFFDEED69DB7F0D5C2B49D6733D71,SHA256=393C10EB9CCB01F50F190F8ADB601332B664A24AC190102F1A5B67D0D3637530,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:12.121{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=482BFDE903D38AF0572CCF075C0FA224,SHA256=592355E187261C36A5EC116C9ABC69C4B672A5DF9EF909C655429DDD43E6FCE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:13.236{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7781A4BD43E61218602E4BA0A43E6F22,SHA256=18F7B32DCA0BA7CF8B45A27FD36E2CF138A1E199E3DB828D93A205AEEC98FEAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:10.735{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-23645-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:13.215{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:13.012{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C947DE56BA6F8768B0D7A21AEAD1A69F,SHA256=EED4E7EFB9F2692E1D7A4313BF960A17354E8A8D3B2C1794DF686B3F4ECBD1DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:11.055{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57734-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001044936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:10.472{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63006-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:14.320{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A84C794B73CDBA94148DC2E57FDFB8E1,SHA256=A47A2385F5D41ECF458D541FD42229195C884BFDAB4C6634590A64498B41F52F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:11.840{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59129-false10.0.1.12-8089- 23542300x8000000000000000973948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:14.013{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF929998606E5A3AFB7ED7AC5DD04A4,SHA256=DBB54A9D598AEADB9B1D98A79044034BCB1BFC1898BAB8E4EA67A73881AE717C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:15.936{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4D31E1D5EC1E4F1B0BBF69880FBBDBA,SHA256=0C56E05F180A79FDC8B3F45FC3F759418F90333C60F817771A6F0B07D7C8C493,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:13.575{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59324-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001044941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:15.335{5EBD8912-7A84-6151-1A78-00000000FC01}6604ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=8D92991A4E7F808939437AAE05DCE332,SHA256=C7F684F51301146BEA830ED5FEA8D27EE38F6288913455DFE749C89D20348D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:15.335{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89100A442B50A0C67354B2FDDC114E90,SHA256=A97D70F266AC208C63DAC6723F0AB556C83FEBF06937481160BF12E9A9C5C3AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:12.793{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59130-false10.0.1.12-8000- 23542300x8000000000000000973952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:15.778{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=184BB1FFFA40A54CCF33CDD24D831302,SHA256=7ABA9A486EAC885D869342DADDC8C158C997629087C26F115FBF7DD00622A59D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:15.778{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A492E83F11378D501EA8028136FE11F,SHA256=70B8B9CB17831C68EC6FC3245DF5B2640C1C64332F3B2038CEFD739DDF365EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:15.028{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD668EAB770AD2AB2DA7F3E150AC309F,SHA256=3E44EE2D1FAB468B1C8014C9703549152635E59463822247F8432839FCE1A999,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:14.873{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65441-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001044947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:16.504{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001044946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:16.504{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:16.504{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFfba7909.TMPMD5=DE3A0FA109221B18DF49AC1FFC6FE4B1,SHA256=ED397D4D656C29DB004817AED882B128D4456823F423CD84E3D3C39C431C5AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:16.351{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0297AFC0C63AB72F58CA643302B122B2,SHA256=B8DE4E934B043A10A831E2EFDD0B4BE2788AF4B1C9CFEDBD81E0B616C5BB91A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:16.044{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6CE67750B995E6BE401F856C430D33,SHA256=F704D9222C0844C435B3F2CE3E5407D059859895D5A84BA3E5F2385FAD72B645,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001044953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:15.791{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65442-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001044952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:15.791{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65442-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 10341000x80000000000000001044951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:17.465{5EBD8912-7F30-614D-0D00-00000000FC01}8886076C:\Windows\system32\svchost.exe{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001044950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:17.365{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3478BC3F39D1C91AA86C60B10F720207,SHA256=57FED33FA774F1F3F463F514E262CC834B50E0F55A94F8D330A8D8F4503D814B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:13.823{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com40783-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:17.059{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=838B1E78BAAF2E03240FD8C5C251D44C,SHA256=9D12FB3D23A59220AA5682122DE118A9A41F6FFD9E4CC63982043875340054B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:17.119{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF72E9CA532837D32B593DDF8AAAB469,SHA256=A41959AAB707AB3465F1F1CD437B47F7967C7294EE93CD3A3A5DF40EFB0D8282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:18.380{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3039A0990E0DC2850090AFB5B887266,SHA256=0722C1877341F4479D73EF526A817D24F32F067BEC19968438369E40DD8A9F30,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:15.820{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-53180-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:18.075{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BEA8998DFF0CE0B9FDC6B6B5DDD81E,SHA256=D6B21E44225E68D2AED5265DD1246BF22A6F0967DCA493DC72B654D6022F74F2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001044959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:19.779{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\AlternateServices.txt2021-09-27 08:10:19.712 23542300x80000000000000001044958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:19.779{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\AlternateServices.txtMD5=9882623B5F5080DF92EB9F27697BDEE0,SHA256=9D69E43674CACC55D7C3D8CC1961AB1BF65212923052BAFA0C5E967F7AD82256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:19.398{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB163BEEFF8471E25A55D668E634ACE,SHA256=155F11C4F344128644827A844DBD396374F079AF9FF8F59A6D7605D73783DFCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:19.684{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=184BB1FFFA40A54CCF33CDD24D831302,SHA256=7ABA9A486EAC885D869342DADDC8C158C997629087C26F115FBF7DD00622A59D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:19.075{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E3CEEA688CFB082085F72A9423B2BA7,SHA256=F406D07015CD6E8AD2014C0F02E1E23AF77190D040389ECE345FF7BE19FCCEA4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001044956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:19.363{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\SiteSecurityServiceState.txt2021-09-27 08:10:19.295 23542300x80000000000000001044955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:19.363{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\SiteSecurityServiceState.txtMD5=4DE79D2B1892F3E23008D6DCFE729AB7,SHA256=0AB15F09EAFF596F8131F189A44194F37E84427DBBAF0952EC2BEAA30657DCD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:20.856{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59127040831B4D53A0692807EFD987F7,SHA256=FF99C9E78DE379E65E178C079E268483AAE7CE67FE4D650680B5653E5B15551E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:20.075{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFBD68DC83AF6C54F5CCDA0AD04890B1,SHA256=FA7E86730208F63C1AE15C4C4D449279C474E39D1C2403ACE99E2FAB35AE83EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001044960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:20.415{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A88AC4784A443333B93519F889A01F,SHA256=8B4029B4486152BE34E7E674BE8CC73594DA68920AD8367A34634A65FB1F6AB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:17.022{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-53464-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001045043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.969{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.969{5EBD8912-79C0-6151-E577-00000000FC01}42966072C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.969{5EBD8912-79C0-6151-E577-00000000FC01}42966072C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.969{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.969{5EBD8912-79C0-6151-E577-00000000FC01}42966688C:\Windows\Explorer.EXE{5EBD8912-7A84-6151-1A78-00000000FC01}6604C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.969{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.969{5EBD8912-79C0-6151-E577-00000000FC01}42966688C:\Windows\Explorer.EXE{5EBD8912-7A84-6151-1A78-00000000FC01}6604C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.969{5EBD8912-79C0-6151-E577-00000000FC01}42966688C:\Windows\Explorer.EXE{5EBD8912-7A84-6151-1A78-00000000FC01}6604C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.953{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7A84-6151-1A78-00000000FC01}6604C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.953{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7A84-6151-1A78-00000000FC01}6604C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.953{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7A84-6151-1A78-00000000FC01}6604C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.953{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7A84-6151-1A78-00000000FC01}6604C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.790{5EBD8912-79BF-6151-DA77-00000000FC01}21521396C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000001045030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.790{5EBD8912-79BF-6151-DA77-00000000FC01}21521396C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000001045029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.790{5EBD8912-79BF-6151-DA77-00000000FC01}21525516C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000001045028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.790{5EBD8912-79BF-6151-DA77-00000000FC01}21525176C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+2a329d|C:\Windows\System32\windows.storage.dll+14d4b3|C:\Windows\System32\windows.storage.dll+14d52a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001045027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.790{5EBD8912-79BF-6151-DA77-00000000FC01}21525176C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+2ca282|C:\Windows\System32\windows.storage.dll+e3b85|C:\Windows\System32\windows.storage.dll+14cd96|C:\Windows\System32\windows.storage.dll+2a31ff|C:\Windows\System32\windows.storage.dll+14d4b3|C:\Windows\System32\windows.storage.dll+14d52a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376 10341000x80000000000000001045026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.767{5EBD8912-79BF-6151-DA77-00000000FC01}21525176C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+df6f3|C:\Windows\System32\windows.storage.dll+dee61|C:\Windows\System32\windows.storage.dll+ded75|C:\Windows\System32\windows.storage.dll+ded0e|C:\Windows\System32\windows.storage.dll+5ba79|C:\Windows\System32\windows.storage.dll+13a3a6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376 10341000x80000000000000001045025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.767{5EBD8912-79BF-6151-DA77-00000000FC01}21525176C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+e1ef3|C:\Windows\System32\windows.storage.dll+5b8f0|C:\Windows\System32\windows.storage.dll+5b847|C:\Windows\System32\windows.storage.dll+5ba17|C:\Windows\System32\windows.storage.dll+13a3a6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a 10341000x80000000000000001045024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.767{5EBD8912-79BF-6151-DA77-00000000FC01}21525176C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+e3c87|C:\Windows\System32\windows.storage.dll+13a465|C:\Windows\System32\windows.storage.dll+13a388|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001045023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.767{5EBD8912-79BF-6151-DA77-00000000FC01}21525176C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+13a439|C:\Windows\System32\windows.storage.dll+13a388|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e4fdc 10341000x80000000000000001045022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.767{5EBD8912-79BF-6151-DA77-00000000FC01}21525516C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+b7f48|C:\Windows\System32\windows.storage.dll+1a2cf9|C:\Windows\System32\windows.storage.dll+1a2b55|C:\Windows\System32\windows.storage.dll+b8ca6|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001045021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.767{5EBD8912-7F2D-614D-0B00-00000000FC01}6241764C:\Windows\system32\lsass.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.767{5EBD8912-7F2D-614D-0B00-00000000FC01}6241764C:\Windows\system32\lsass.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.605{5EBD8912-79BF-6151-DA77-00000000FC01}21526536C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000001045018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.605{5EBD8912-79BF-6151-DA77-00000000FC01}21526536C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000001045017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.605{5EBD8912-79BF-6151-DA77-00000000FC01}21525516C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x80000000000000001045016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.474{5EBD8912-79BF-6151-DA77-00000000FC01}21523036C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000001045015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.474{5EBD8912-79BF-6151-DA77-00000000FC01}21523036C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 23542300x80000000000000001045014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.435{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=932550781BBAC38CAFAC3E1D864D586F,SHA256=12AFC5E678280AF25B427BF9F1FA5F1D5E28F6D7E6ACED8EBDAC334DE4BEDB78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:21.091{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020E29251469006F2429168D91892F6F,SHA256=44202EE3F2FD4A3EA2CF2AE14A1139B9FD1F23DFD1BC01DFC2BB33E6CF9CD699,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.262{5EBD8912-79BF-6151-DA77-00000000FC01}21526536C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000001045012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.262{5EBD8912-79BF-6151-DA77-00000000FC01}21526536C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000001045011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.262{5EBD8912-79BF-6151-DA77-00000000FC01}21525812C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x80000000000000001045010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.262{5EBD8912-79BF-6151-DA77-00000000FC01}21525276C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000001045009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.262{5EBD8912-79BF-6151-DA77-00000000FC01}21525276C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000001045008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.262{5EBD8912-79BF-6151-DA77-00000000FC01}21523036C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000001045007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.262{5EBD8912-79BF-6151-DA77-00000000FC01}21526536C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000001045006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.262{5EBD8912-79BF-6151-DA77-00000000FC01}21526536C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000001045005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.262{5EBD8912-79BF-6151-DA77-00000000FC01}21523036C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000001045004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.262{5EBD8912-79BF-6151-DA77-00000000FC01}21525276C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000001045003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.262{5EBD8912-79BF-6151-DA77-00000000FC01}21525276C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000001045002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.262{5EBD8912-79BF-6151-DA77-00000000FC01}21525344C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x80000000000000001045001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.262{5EBD8912-79BF-6151-DA77-00000000FC01}21525344C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x80000000000000001045000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.246{5EBD8912-79BF-6151-DA77-00000000FC01}21525344C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x80000000000000001044999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.246{5EBD8912-79BF-6151-DA77-00000000FC01}21525344C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x80000000000000001044998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.246{5EBD8912-79BF-6151-DA77-00000000FC01}21523036C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 23542300x80000000000000001044997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.230{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EBDD1334ABE1F52AB5F5AD871AD697C,SHA256=342EEA268A5E5F39899C5AAF003578A55CAFCB7F7F6A17FD4F696A2443CBBEF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.148{5EBD8912-79BF-6151-DA77-00000000FC01}21523036C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001044995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.148{5EBD8912-79BF-6151-DA77-00000000FC01}21523036C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x80000000000000001044994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.132{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA8A63C012DE061A578831564DF74D8E,SHA256=90F415FCDF73B5F59E72755DF1D8CE7F808AF46CDD6C416583287EBDACA71799,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001044993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.132{5EBD8912-79C0-6151-E577-00000000FC01}42965156C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.132{5EBD8912-79C0-6151-E577-00000000FC01}42965156C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.132{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.132{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.101{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.101{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.101{5EBD8912-79BF-6151-DA77-00000000FC01}21523036C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001044986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.101{5EBD8912-79BF-6151-DA77-00000000FC01}21523036C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001044985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.097{5EBD8912-79C0-6151-E577-00000000FC01}42966688C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.097{5EBD8912-79C0-6151-E577-00000000FC01}42964848C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001044983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.097{5EBD8912-79C0-6151-E577-00000000FC01}42964848C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001044982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.096{5EBD8912-79C0-6151-E577-00000000FC01}42966688C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.077{5EBD8912-79C0-6151-E577-00000000FC01}42966688C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.046{5EBD8912-7F30-614D-0D00-00000000FC01}8885152C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.030{5EBD8912-7F30-614D-0D00-00000000FC01}8885152C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.030{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.030{5EBD8912-7F30-614D-0D00-00000000FC01}8885152C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.030{5EBD8912-7F30-614D-0D00-00000000FC01}8885152C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.030{5EBD8912-7F30-614D-0D00-00000000FC01}8885152C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.030{5EBD8912-7F30-614D-0D00-00000000FC01}8885152C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.030{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.030{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.030{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.030{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001044969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.030{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001044968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.030{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001044967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.030{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.030{5EBD8912-79C0-6151-E577-00000000FC01}42966416C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.030{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.030{5EBD8912-79C0-6151-E577-00000000FC01}42966416C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.030{5EBD8912-79C0-6151-E577-00000000FC01}42964848C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+23084|C:\Windows\System32\TwinUI.dll+23138|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+15bffd|C:\Windows\System32\TwinUI.dll+ced8f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001044962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.030{5EBD8912-79C0-6151-E577-00000000FC01}42964848C:\Windows\Explorer.EXE{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+230ec|C:\Windows\System32\TwinUI.dll+23125|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+15bffd|C:\Windows\System32\TwinUI.dll+ced8f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001044961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:19.091{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62734-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001045051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:22.507{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55836656647F636CBC5EBCD69FF012CD,SHA256=613B91D656B3244DC761262D0975D935D5BBF1B212683A81F8395C966114B885,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:22.507{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D9F865C8A5F314262D8A3254161926B,SHA256=8257B59B70DF143225AFA43D139EA395E4168B36A6C73577881B4A25259F312D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:18.809{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59131-false10.0.1.12-8000- 354300x8000000000000000973966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:18.472{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63080-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:22.093{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF149FF12E31D14CCABD8489DB70020B,SHA256=E7D181F6CA516E829E7913E971D311B1388ACEB1D117D790D8293C578987E06E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:22.370{5EBD8912-7A84-6151-1A78-00000000FC01}6604ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-09-27_085015MD5=8DAFAC912B08D8058422D9027307E4A4,SHA256=D017D2ED304694F93DB895CC0D3907B6C39FF3695D820E6B193817D526F52CD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:22.354{5EBD8912-7A84-6151-1A78-00000000FC01}6604ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=3B24716151F08E1DF1DD1A9B2002935C,SHA256=1C645529C20B8A8116054BEAFA08EEB235AC5E74C71EA60DEC1FF28326462E0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:22.338{5EBD8912-7A84-6151-1A78-00000000FC01}6604ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-09-27_085015MD5=616AB382043C11CE779E93E769F6CF86,SHA256=58D0C5107DCFE57C6A63B41777F8D501AE52F22D42965085AA1F7C00ADEAE6D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.991{5EBD8912-7F30-614D-1400-00000000FC01}1104372C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.991{5EBD8912-79C0-6151-E577-00000000FC01}42964848C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001045044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:21.991{5EBD8912-79C0-6151-E577-00000000FC01}42964848C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 23542300x80000000000000001045053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:23.522{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD5842C56140EC702FB966CC407B942,SHA256=6A2E81B8219DBCAD49BFC6D16F6030BD42BA5A046BA96ADDAA3F963BDFDDF975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:23.108{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46C17FC029EFD9CC972B0CB71E028542,SHA256=2E8611E9352235244998E2EA7E4C5CEDFEAAC85995939C34E32B0ADEA498F8B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:20.770{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65443-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:24.553{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF1A8F10D41CC172D6F287D47EBA624,SHA256=D9A02B74942AF0C199E3CCA3CA93CC55E5D5AC47601009A582A0E1723354A54B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000973970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:20.831{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-23567-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000973969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:24.124{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDA3832E6B8EE30413D57C4022C523E9,SHA256=0E319C36A8A5A3158B7B2DB9A584E531E9C441004B5C800070914F7F001B421B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:25.667{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B91486EA68A7452C56931C8AE523A72,SHA256=B2129AD41F45A9134A80C29F0014F318BF3AAA027543F5C3B86B043FDCCB43DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:25.140{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=932AC95E6D008B0DAB82916A98A15B35,SHA256=B833A12C180C5C6944E918B12F9893A64FD111D541C4F61CDC4E265B041E081B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:26.904{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:26.685{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69BBA71187666F5560293E1734BCD7CA,SHA256=AB2463CCD27AC7DD351CBAE39FB147746D533AFECF8E0F4A6F1769ADF6B0BE55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000974002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.890{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-85D2-6151-2E79-00000000FD01}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.890{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.890{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.890{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.890{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.890{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.890{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.890{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.890{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.874{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.874{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-85D2-6151-2E79-00000000FD01}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.874{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-85D2-6151-2E79-00000000FD01}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.875{69CF5F33-85D2-6151-2E79-00000000FD01}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000973989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:23.340{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49758-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000973988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.390{69CF5F33-85D2-6151-2D79-00000000FD01}36763388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.202{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-85D2-6151-2D79-00000000FD01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.202{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.202{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.202{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.202{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.202{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.202{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.202{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.202{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.202{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.202{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-85D2-6151-2D79-00000000FD01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000973976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.202{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-85D2-6151-2D79-00000000FD01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000973975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.187{69CF5F33-85D2-6151-2D79-00000000FD01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000973974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.155{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA1E1BA226501E0CAB8B061C19AC06FB,SHA256=B05A198783E995AE90A405D892FF5C02CD9D025A0ABC99267449D406174794C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.155{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=133A25EE59A329E1435D4E23597B669E,SHA256=9EA5B14349C60D2DEA68D491E63FE76F7C8E907503E295534328CBD2B0CB780A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000973972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.155{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ABC5364364F62CAF35871E05E53FAAF,SHA256=771C22E4234698F11050803B086E4ABCD55E16C6B2E2D9AA29488A692171E91C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:24.812{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59132-false10.0.1.12-8000- 10341000x8000000000000000974018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:27.562{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-85D3-6151-2F79-00000000FD01}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:27.562{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:27.562{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:27.562{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:27.562{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:27.562{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:27.562{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:27.562{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:27.562{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:27.562{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:27.562{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-85D3-6151-2F79-00000000FD01}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:27.562{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-85D3-6151-2F79-00000000FD01}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:27.550{69CF5F33-85D3-6151-2F79-00000000FD01}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000974005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:27.546{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF8AEF4F4E2B7F066D919E804667A829,SHA256=17BA39FD923E5BD399BD2B47755EBE4EAF90F19D821F04D3E8EB5E7A7DDBEBF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:27.546{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA1E1BA226501E0CAB8B061C19AC06FB,SHA256=B05A198783E995AE90A405D892FF5C02CD9D025A0ABC99267449D406174794C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:27.704{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AFE6D67FD09A31C61B4CFAAF41AE378,SHA256=EEB06E26E08861390B2B7AD99921823D10854A1324241E1A584BB5005992E50B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:27.304{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001045066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:27.304{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001045065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:27.304{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001045064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:27.304{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001045063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:27.304{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001045062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:27.304{5EBD8912-79BF-6151-DB77-00000000FC01}23164744C:\Windows\system32\sihost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:27.267{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001045060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:27.267{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001045059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:27.267{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001045058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:27.182{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:27.062{69CF5F33-85D2-6151-2E79-00000000FD01}10802996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000974049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:25.124{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-54301-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000974048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:28.843{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-85D4-6151-3179-00000000FD01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:28.843{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:28.843{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:28.843{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:28.843{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:28.843{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:28.843{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:28.843{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:28.843{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-85D4-6151-3179-00000000FD01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:28.843{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:28.843{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:28.843{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-85D4-6151-3179-00000000FD01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:28.829{69CF5F33-85D4-6151-3179-00000000FD01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000974035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:28.827{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E37AB3712EB4EB900C7CF628F460F2B6,SHA256=EE765EF903F8DBE868D21199CCDE11849131D5CBC3C51E0E1EE709819B3B5A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:28.718{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=310DE2292EF5D27A727BA8530047B479,SHA256=0880939294A36B1EAD845EDCD0FC76A556B79C22CB22A5E689462E913CD89D82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:28.562{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFD43FB74C7C929DA5F396749C9C23F3,SHA256=B5078A51A006DE5C270903396792FB09F4C4308C44B9E42116F98BAB92F936F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000974033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:28.405{69CF5F33-85D4-6151-3079-00000000FD01}18041008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:28.249{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-85D4-6151-3079-00000000FD01}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:28.249{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:28.249{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:28.249{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:28.249{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:28.249{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:28.249{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:28.233{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:28.233{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:28.233{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:28.233{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-85D4-6151-3079-00000000FD01}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:28.233{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-85D4-6151-3079-00000000FD01}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:28.234{69CF5F33-85D4-6151-3079-00000000FD01}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:28.250{5EBD8912-7A84-6151-1A78-00000000FC01}6604ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=8DAFAC912B08D8058422D9027307E4A4,SHA256=D017D2ED304694F93DB895CC0D3907B6C39FF3695D820E6B193817D526F52CD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:29.719{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF12784B0B74979988A31936871A2836,SHA256=ECBDD1A7C5C59254BF2DA29963E54958030ABA7C96674779D9B1830A63968B14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000974063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:29.796{69CF5F33-85D5-6151-3279-00000000FD01}10923512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:29.530{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-85D5-6151-3279-00000000FD01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:29.530{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:29.530{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:29.530{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:29.530{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:29.530{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:29.530{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:29.530{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:29.530{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:29.530{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:29.530{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-85D5-6151-3279-00000000FD01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:29.530{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-85D5-6151-3279-00000000FD01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:29.516{69CF5F33-85D5-6151-3279-00000000FD01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:29.386{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CD86AE7FC0D5979BB0AC186F18ABAC8,SHA256=AC537CCC09F44454108290E723DB3C7086A4CE2B5F5A97E4C8E307D6A43B1732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:29.384{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07C3AB611776EBFB5C777063D383A73C,SHA256=95DAEB52C82527FE0D70A5DD2E6DD0B4C161350CC56FAED486A3818B1B1DF28A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:26.773{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65444-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:30.765{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC7F5F1A8446EC005A4E4BC000DD3BB4,SHA256=647A7E2AD142C1EAF7A37A10926298CC15E98A570404DE46A04812B8D259A1AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:27.760{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-6174-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:26.522{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51741-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:30.483{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C4C11757D49E89694527732680C1B7B,SHA256=717F42AE4EAA70294C75E2D86FF546F1D21C1C0D9626D1B6679438AF320227D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:30.046{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69C7870651528735893B4F461BD9803C,SHA256=2E082AA43ED2E47119E150E33724A8BB437703D80F59265845902C329932F05B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:28.666{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61960-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001045075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:27.740{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61290-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001045081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:31.783{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9038EE0070454BE04FA646CBD17C0A7,SHA256=E32FF758AF0684FBC068D1CFB6CA0944AD547612EE0C85351C9293AAB1DBB4E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:28.281{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-60294-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:31.569{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4287MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:31.097{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60B9489E5B2A41AEC7CD2893E27EA272,SHA256=C0A19283BC81AC052C8BC0AEE3E611D0F6D67743812DDE41DDEDF9078EEB2E48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:31.097{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D607F66AD32E68E84903E1AB93A85E6,SHA256=600B971732CFAA818C3939EA14796E47564F13F7F21611984520BEA780A6E557,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:31.165{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:31.165{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:31.165{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:32.802{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F383B22EC63D55FC7E1F4EE38A0C87,SHA256=0DFE2CF030F7C7AA6B5D9C96DCB7F4838E4E81D7EB1C54958FEEBC2D7EEA1270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:32.826{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0550F7F11F345C714E9CD39D7D88AFC8,SHA256=6805ADA8EA87169DBBD0FB9AE1B34E990B8589764772EADAE26497A5954B0CE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:32.578{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4288MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:32.389{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=330D0683D8D02C039596563AD54D75C9,SHA256=A36D4948949294F26B227231CAE075EAB47ECAADB59A93B528F8C9FABA21A338,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:32.124{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17489D8E902938D581C9E633D45B38E1,SHA256=C040F4D1637B227EFA446EE57B899D6CF37B19B818FC492FBE5C83BD92ADC0AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:32.517{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:32.517{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=3E5D5F86212843A164D5C0877C9CBD86,SHA256=4190F164EFD2EBF2DEA46816D5F2395ACDCC490266CB39BDC6D699B4423DF1D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:33.802{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EA8D915CD52607ACF77FDAA1827A686,SHA256=BAEB91E7DA321395B6A5CA1FE7807B8E88A4858F4C72D23E7BF3C90A0FC0FE27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:33.203{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F357C68E00391253804E3A7B9E91385,SHA256=856B24F14BCC06AF3066D491F0843A54600491A486814C713FAEF5C211FF2C95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:34.817{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBBEFB512BBD4602CA5E07F6BF91C406,SHA256=10C687D346A1E301A779F0F2FDF5A33B705888B62E4115869CB5DD49BF16C940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:34.203{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=969FA6BD51C8C27E17885FD76419E463,SHA256=98166704EF6E4256A7BEB6D56BD3FC94B91E02923289912B45D6AD2D763ECC75,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:31.871{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65445-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000974077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:30.749{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59133-false10.0.1.12-8000- 23542300x80000000000000001045088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:35.831{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8937E3BDF6368A635BC359A31E5E7622,SHA256=C90477B828318D5F4FC99CA1FF8AEEC0F8306A78707CB99F1C95419CA7E40BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:35.328{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEBFEF3FB8C517A02C252FC3A07847FE,SHA256=094E9935492CD64268C05D5462CE8708A09841C8FF1F4481B762CBAE24296249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:36.828{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C28E48CC675F58D276742A4153042A3,SHA256=483D2B29013BC8B638EA53E629228FD983F893BBB50346B5ED68F03454698C0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:36.391{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079F25E26090504A4356B833277480D5,SHA256=3E3EDC889BA8F9837497574016644271ECAFDA72B84DBBC1C898DD916372A2EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:36.146{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:36.099{5EBD8912-79C0-6151-E577-00000000FC01}42966688C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8B79-00000000FC01}4220C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:36.099{5EBD8912-79C0-6151-E577-00000000FC01}42966688C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8B79-00000000FC01}4220C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:36.099{5EBD8912-79C0-6151-E577-00000000FC01}42966688C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8B79-00000000FC01}4220C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:36.084{5EBD8912-79BF-6151-DE77-00000000FC01}43084552C:\Windows\system32\taskhostw.exe{5EBD8912-85DC-6151-8C79-00000000FC01}32C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:36.082{5EBD8912-79BF-6151-DE77-00000000FC01}43084552C:\Windows\system32\taskhostw.exe{5EBD8912-85DC-6151-8C79-00000000FC01}32C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:36.047{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8B79-00000000FC01}4220C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:36.047{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8B79-00000000FC01}4220C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:36.047{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8B79-00000000FC01}4220C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:36.047{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8B79-00000000FC01}4220C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:36.047{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8C79-00000000FC01}32C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:36.047{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8C79-00000000FC01}32C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:36.047{5EBD8912-79BF-6151-DA77-00000000FC01}21526536C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000001045103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:36.047{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8C79-00000000FC01}32C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:36.047{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8C79-00000000FC01}32C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:36.047{5EBD8912-79BF-6151-DA77-00000000FC01}21526536C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000001045100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:36.047{5EBD8912-79BF-6151-DA77-00000000FC01}21521396C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x80000000000000001045099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:36.031{5EBD8912-7F30-614D-1600-00000000FC01}12682136C:\Windows\system32\svchost.exe{5EBD8912-85DC-6151-8C79-00000000FC01}32C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:36.031{5EBD8912-7F30-614D-1600-00000000FC01}12681316C:\Windows\system32\svchost.exe{5EBD8912-85DC-6151-8C79-00000000FC01}32C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:36.031{5EBD8912-85DC-6151-8C79-00000000FC01}326360C:\Windows\system32\conhost.exe{5EBD8912-85DC-6151-8B79-00000000FC01}4220C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:36.015{5EBD8912-79BB-6151-D077-00000000FC01}46125756C:\Windows\system32\csrss.exe{5EBD8912-85DC-6151-8C79-00000000FC01}32C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:36.015{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:36.015{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:36.015{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:36.015{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:36.015{5EBD8912-79BB-6151-D077-00000000FC01}46125756C:\Windows\system32\csrss.exe{5EBD8912-85DC-6151-8B79-00000000FC01}4220C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:36.015{5EBD8912-79C0-6151-E577-00000000FC01}42967080C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8B79-00000000FC01}4220C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+204ae4|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+1757a0|C:\Windows\System32\SHELL32.dll+17c27c|C:\Windows\System32\SHELL32.dll+19ea38|C:\Windows\System32\SHELL32.dll+17c416|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x80000000000000001045089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:36.014{5EBD8912-85DC-6151-8B79-00000000FC01}4220C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon"C:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-79BE-6151-7ED6-4A0400000000}0x44ad67e2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 354300x8000000000000000974080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:32.783{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-33839-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:37.625{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=154F890999512462E6097F29EA0992B6,SHA256=975CDAA1B46FC447756119540D9953232C4D854B23FFAB14C31B23027B4AA751,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:35.825{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65446-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001045119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:37.147{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=166A34732FAEC852721CFE45ECCCD6AD,SHA256=5FA2E12D3CE4C49DB8B43C25EBD483B809FD4203030B948C1649FBCDB029C71F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:37.147{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08019E90FB3A3A03311D289DC60E7810,SHA256=770B2676497FB8F98B2282A8E70E4BB645BDCB03C63F4CDC2012C30FDA8BE35A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:37.147{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CD86AE7FC0D5979BB0AC186F18ABAC8,SHA256=AC537CCC09F44454108290E723DB3C7086A4CE2B5F5A97E4C8E307D6A43B1732,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:34.109{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50734-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:38.859{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF832F05E9A586936D4631B16D994E2A,SHA256=6A63C34561C74B0D46CD3DE9EDCE2243BA289F341D371BF3A09FE4CE71C95E52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:38.161{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D8A21BEB037BF96794BB77360939ED8,SHA256=4A751DE7ED3E0428D6A9CA813508F08A58F8A037CB6D1A4D26281EDD2D7D6F56,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:34.988{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-51518-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000974097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:38.031{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-85DE-6151-3379-00000000FD01}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:38.031{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:38.031{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:38.031{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:38.031{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:38.031{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:38.031{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:38.031{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:38.031{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:38.031{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:38.031{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-85DE-6151-3379-00000000FD01}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:38.031{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-85DE-6151-3379-00000000FD01}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:38.017{69CF5F33-85DE-6151-3379-00000000FD01}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001045124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:37.868{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65447-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:39.179{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8734C06B1DCF4D8CBB64149F8D0B3503,SHA256=3F22F25E2C35780978122CEBF0F3EAB299DA7D6073FA2A8B7CE59FBCABA80CD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:39.031{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AF69F745810E42B1B6623B11E78A038,SHA256=933B8343C330B2A646D51C0DC0705C341F383E202EFE10C1D9E3104DC3C9DAA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:39.077{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5C4F38B95F4D27DBE2FBFF42E407D14A,SHA256=87AECD7DCDF1177E6B30C35E73B670AFAFF0500ED373AFD9E0CA99E4C4770E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:40.197{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D7D073D1695D3A0A3A60EE93515C6BB,SHA256=13D449A4126E0727A9ED290404BC39CD1E871B9B7E2BC7A7EB80E39578C9FA5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:36.687{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59134-false10.0.1.12-8000- 23542300x8000000000000000974101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:40.094{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1AC5384ABC58CC17FA008B0E9C15F9B,SHA256=72D3603E5DBD919D4F4D59D9C3A90B64FA2E6276F491D45368FBA86E87340F02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:41.327{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C23E8E3E469D2DB16A61575CEC76EA,SHA256=2664E557C8A9C4ACFF3B9D3CD25EF596D75CED5E46F077EF9B0F1205D1123C5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:37.863{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-3775-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:41.203{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B47E7789700BB25982C3EBE33D305C6C,SHA256=0A0FC71B78138B50BBD1E6F38AC4CA672BBE766CAD82F96F74D9C8D0476E0609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:42.357{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E138A95294E8DF1BA47015E6EFDF3A8,SHA256=D5BA1086BD2C9F67D1B280DA402D3B97F6967F9A8E0F621ABC24C0CC4A0A9E9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:42.910{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CA08516AC7DB7BAE3AF3782C4F64728,SHA256=284D05E1EF28D8C587D06F2FACA2DE96D735BCB830C436B0801B70F1D306E690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:42.285{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97CBFBDBCC681352E8B9358986706C8D,SHA256=7F9F96F11367330212DA4B3C94D983C14470FBA230E18E52B02EAB55A9B36222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:43.300{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F068021C9F9F41654CB5C912646770D,SHA256=F784C61BD22D62B789B10C1B6195E127DC5C4B7B50D0088FCB05AD8FF303A559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:43.576{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=924A29944FEF284EBB678AF0A9116A65,SHA256=C9D64F302CE081A669F57864D23321EF3EA4B594E1D8E7CAF22A41CE5603F2E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:43.574{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=166A34732FAEC852721CFE45ECCCD6AD,SHA256=5FA2E12D3CE4C49DB8B43C25EBD483B809FD4203030B948C1649FBCDB029C71F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:41.757{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60579-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001045128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:43.373{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA3D57119E4D01AE8AB2C2D7D7B4E88D,SHA256=A68BDF9136E4863A76F359989A0F472F8BA3CD6DB6C5882FDFDBEF6BC71843DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:41.769{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59135-false10.0.1.12-8000- 23542300x8000000000000000974108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:44.316{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F864036D9F31925E3CD2D85A7C35C67,SHA256=A39446DB4ADDB9377E621CD09499180776A4F32BB9D14B554491889E46E71613,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:44.925{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-85E4-6151-8D79-00000000FC01}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:44.925{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-85E4-6151-8D79-00000000FC01}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:44.925{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:44.925{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:44.925{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:44.925{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:44.925{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-85E4-6151-8D79-00000000FC01}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:44.894{5EBD8912-85E4-6151-8D79-00000000FC01}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:44.909{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=924A29944FEF284EBB678AF0A9116A65,SHA256=C9D64F302CE081A669F57864D23321EF3EA4B594E1D8E7CAF22A41CE5603F2E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:44.378{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B58A53EEF031EBF6361A32ACF1994DB,SHA256=D3C2E2928C3225E43B84D13D29274299DC48D9435CC2294A6246614F2299C23D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:45.877{5EBD8912-79C0-6151-E577-00000000FC01}42967080C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8B79-00000000FC01}4220C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a12e|C:\Windows\System32\ole32.dll+89a2b|C:\Windows\System32\ole32.dll+88be7|C:\Windows\System32\ole32.dll+8c817|C:\Windows\System32\SHELL32.dll+2c8e7d|C:\Windows\System32\SHELL32.dll+283a3e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x80000000000000001045161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:45.877{5EBD8912-79C0-6151-E577-00000000FC01}42967080C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8B79-00000000FC01}4220C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f02|C:\Windows\System32\ole32.dll+899f9|C:\Windows\System32\ole32.dll+88be7|C:\Windows\System32\ole32.dll+8c817|C:\Windows\System32\SHELL32.dll+2c8e7d|C:\Windows\System32\SHELL32.dll+283a3e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x80000000000000001045160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:45.640{5EBD8912-79C0-6151-E577-00000000FC01}42967080C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8B79-00000000FC01}4220C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a220|C:\Windows\System32\ole32.dll+8c32e|C:\Windows\System32\ole32.dll+8c7fb|C:\Windows\System32\SHELL32.dll+2c8e7d|C:\Windows\System32\SHELL32.dll+283a3e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x80000000000000001045159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:45.640{5EBD8912-79C0-6151-E577-00000000FC01}42967080C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8B79-00000000FC01}4220C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c1a5|C:\Windows\System32\ole32.dll+8c7fb|C:\Windows\System32\SHELL32.dll+2c8e7d|C:\Windows\System32\SHELL32.dll+283a3e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x80000000000000001045158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:45.609{5EBD8912-7F30-614D-1600-00000000FC01}12682136C:\Windows\system32\svchost.exe{5EBD8912-85E5-6151-8F79-00000000FC01}4084C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:45.609{5EBD8912-7F30-614D-1600-00000000FC01}12681316C:\Windows\system32\svchost.exe{5EBD8912-85E5-6151-8F79-00000000FC01}4084C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:45.593{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-85E5-6151-8F79-00000000FC01}4084C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:45.593{5EBD8912-79BB-6151-D077-00000000FC01}46124936C:\Windows\system32\csrss.exe{5EBD8912-85E5-6151-8F79-00000000FC01}4084C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:45.577{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-85E5-6151-8F79-00000000FC01}4084C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:45.577{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-85E5-6151-8F79-00000000FC01}4084C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001045152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:43.265{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61585-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001045151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:45.477{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-85E5-6151-8E79-00000000FC01}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:45.456{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-85E5-6151-8E79-00000000FC01}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:45.456{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:45.456{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:45.456{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:45.456{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:45.456{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-85E5-6151-8E79-00000000FC01}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:45.441{5EBD8912-85E5-6151-8E79-00000000FC01}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:45.393{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2136484F2B686E5099BCD52DA25A568B,SHA256=A42F0AAE010C1DDFC7D64DD722A845C5AC522CAA3B83C7EF91D50074AD2FEDE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:45.332{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA03CB88ED192E8BA09D60AC35AD2A5,SHA256=83DCF4F8422CB6BC2BDC494293CE37405DB8A59B669552F57514089AC50F3F57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:45.109{5EBD8912-85E4-6151-8D79-00000000FC01}45084548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:46.608{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4B2BB8527F51EF40880AA2AC42541E,SHA256=9C10D07904C4A27DABE872816A1EE8A7C7C7DDB226813CAADB5E3A437012BCF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:46.608{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AD1828DBFBECAE65B2E4593545A6BAF,SHA256=63FDB7E4BFDDE9673B16CF5442924F1154765E89CE341575054E261B43F20957,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:43.748{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65448-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000974111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:46.347{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E28117F6588FE51A6A1851B93064D3,SHA256=9C9BAA20C0959E3599C52A9EE6645DDEAD9E396B4CE1D1C99D481CB7F895ED27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:46.355{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-85E6-6151-9079-00000000FC01}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:46.355{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:46.355{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:46.355{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:46.355{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:46.355{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-85E6-6151-9079-00000000FC01}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:46.355{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-85E6-6151-9079-00000000FC01}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:46.341{5EBD8912-85E6-6151-9079-00000000FC01}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001045169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:46.093{5EBD8912-79C0-6151-E577-00000000FC01}42966688C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8B79-00000000FC01}4220C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:46.093{5EBD8912-79C0-6151-E577-00000000FC01}42966688C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8B79-00000000FC01}4220C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:46.093{5EBD8912-79C0-6151-E577-00000000FC01}42966688C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8B79-00000000FC01}4220C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:46.093{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8C79-00000000FC01}32C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:46.093{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8C79-00000000FC01}32C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:46.093{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8C79-00000000FC01}32C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:46.093{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8C79-00000000FC01}32C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:47.839{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C74B55C802398998018CEE053837A87,SHA256=D2102139FB08D9EB57756A536B49142ACF31661C518F46EACA7A0E32B56AA326,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:44.367{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com53989-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:47.347{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0817D1819EB2F8E525246DFAA1431221,SHA256=8859596FDE8A3C5DABA5D412939BE2AB97FC6A0CB9707A08E26080885A3E416A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001045201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:50:47.108{5EBD8912-85E7-6151-9179-00000000FC01}5536C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=7BD83222013899F27E518ECCBB0B4408EF2B8BA17098056C7A7EF8040CA48707 13241300x80000000000000001045200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:50:47.108{5EBD8912-85E7-6151-9179-00000000FC01}5536C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 16341600x80000000000000001045199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local2021-09-27 08:50:47.108C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=7BD83222013899F27E518ECCBB0B4408EF2B8BA17098056C7A7EF8040CA48707 13241300x80000000000000001045198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:50:47.108{5EBD8912-85E7-6151-9179-00000000FC01}5536C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x80000000000000001045197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:50:47.108{5EBD8912-85E7-6151-9179-00000000FC01}5536C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x80000000000000001045196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:50:47.108{5EBD8912-85E7-6151-9179-00000000FC01}5536C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x80000000000000001045195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:50:47.108{5EBD8912-85E7-6151-9179-00000000FC01}5536C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x80000000000000001045194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:50:47.108{5EBD8912-85E7-6151-9179-00000000FC01}5536C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x80000000000000001045193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-27 08:50:47.108{5EBD8912-85E7-6151-9179-00000000FC01}5536C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x80000000000000001045192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-27 08:50:47.108{5EBD8912-85E7-6151-9179-00000000FC01}5536C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x80000000000000001045191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-27 08:50:47.108{5EBD8912-85E7-6151-9179-00000000FC01}5536C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x80000000000000001045190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-27 08:50:47.108{5EBD8912-85E7-6151-9179-00000000FC01}5536C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x80000000000000001045189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-27 08:50:47.108{5EBD8912-85E7-6151-9179-00000000FC01}5536C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x80000000000000001045188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:47.039{5EBD8912-85DC-6151-8C79-00000000FC01}326360C:\Windows\system32\conhost.exe{5EBD8912-85E7-6151-9179-00000000FC01}5536C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:47.039{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:47.039{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:47.039{5EBD8912-79BB-6151-D077-00000000FC01}46125756C:\Windows\system32\csrss.exe{5EBD8912-85E7-6151-9179-00000000FC01}5536C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:47.039{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:47.039{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:47.039{5EBD8912-85DC-6151-8B79-00000000FC01}42205168C:\Windows\system32\cmd.exe{5EBD8912-85E7-6151-9179-00000000FC01}5536C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:47.040{5EBD8912-85E7-6151-9179-00000000FC01}5536C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{5EBD8912-79BE-6151-7ED6-4A0400000000}0x44ad67e2HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{5EBD8912-85DC-6151-8B79-00000000FC01}4220C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x8000000000000000974112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:47.316{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=388BC316C80CD0FAEE0F1F8F49EC1616,SHA256=ADB599CC3A5FDDE2548723AE67C3F7A7FBB90B38D3DEFDC28EBCB7835363265E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:48.840{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B49294DBA99B456F6CF8981ECB355D06,SHA256=0E92C3994CEF997F811BEA61E8667A34693E54E7904CC954BF083E115224C628,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:45.933{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-33328-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:48.347{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57F3E568044A1A1DADD987877402CD56,SHA256=3A3625D115F8E5C58EA74ABFD27263345045A5D6775A9DF96EFEE567F49025E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:48.054{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B098ED1EE00474EDE3D02B0654AE1BE,SHA256=95F11988AC3916940D87D167059ACD54DF8A1493383D502A85411D50AC335D92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:49.873{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D5725AD93A408E5A560D9F02210D921,SHA256=F75054705B17FDE5682218A1009DFE75B3941226B87A30F1CE4BAFB40F55D174,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:49.363{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D7056D0315944695062329699D6AFCA,SHA256=CC3BFB710B1A2C925F45A99B0CE39B0156331BF5CC02B605F03F04FF508C30D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:50.879{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978C5B42ED04534F728083BD87D4586B,SHA256=A5F5B9666AAB47C58F18076E3CFE47200DE7E1D61F822DD749D4154B2297F577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:50.378{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39BBD99C0E062905B7833E9CFE557C20,SHA256=3260DA7871FBBF9B1DF1F31AFD3ECFA36EA380BBCEB0207B514EF1FC9B106BC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:48.862{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65449-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001045206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:48.597{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de63939-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000974118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:46.703{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de63023-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001045219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:51.880{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E82D62819CBFF60AE710D2D2113F3C2E,SHA256=A6AB068C36F942C1732AFE0E253D614B00581BAAF00276C7BAEC41BFBF388FDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:47.706{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59136-false10.0.1.12-8000- 23542300x8000000000000000974121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:51.394{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A3CDE109B3A312B3973B87192A5497B,SHA256=EB8EB29FF3AA7741DD2A473C646B3C308145FDE0C89F57594CF6DED0643B7401,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:49.757{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63113-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001045217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:49.702{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-59137-false10.0.1.14win-dc-429.attackrange.local49672- 10341000x80000000000000001045216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:51.442{5EBD8912-79C0-6151-E577-00000000FC01}42966688C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:51.442{5EBD8912-79C0-6151-E577-00000000FC01}42966688C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:51.442{5EBD8912-79C0-6151-E577-00000000FC01}42966688C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:51.427{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:51.427{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:51.427{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:51.427{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:51.395{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97FD077198D149CC3024D262F33B1B9B,SHA256=6BF979949C2CF2E52536346543A66331176850C56C398F4D8D4091C7624E002B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:51.019{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37251BA41A76981EF20E4ACF5113B66B,SHA256=70DC653A2645126F845962FA541DD921517AD5C9A702AF2677E24D4D5E7A0750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:52.910{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EF384B2D0CE035933A1318745944FDB,SHA256=2FE652BD0CB64F14AEC0D22DF201E10A98A3356BF3FAD7E6AB16A15500F349D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:49.122{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49618-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:48.643{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59137-false10.0.1.14-49672- 23542300x8000000000000000974123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:52.394{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=615EB96063D3A50F365CB43E14CC1931,SHA256=38378A3E9ECA406FA9D1675377C8435087552F14FAE6236AF52E3D0FC49075D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:53.924{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=093E06FFFD137E83061F95E66A3A471B,SHA256=F6D3C3B71979F46302783A106FC071EC3843607E419C9B3733C39980589CC179,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:50.781{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50638-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:49.974{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-20894-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:53.410{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A8F74B56BFC0582BCD20F36ADDC195B,SHA256=A379145C38D15804317F983DD182145B5140328ECB3AA5158169B6FFBD4BCE36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:53.019{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0622920FD131505AB0C6BD85E0415F0E,SHA256=2AAFE861465F80A16365946E4B0AB7F61E10A37AA9312A33872910D964D0B051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:54.939{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EA61E401DC2540218CB6E650BA6E99A,SHA256=63F3D256E26D5459AAF2B823C8CD557081E0AE784EE3567CECE42D4A9F5892A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:54.425{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E99ABF6770024B73F24C757A74F2B13,SHA256=9D6F72E65EDBEB7B763A05DE88D9024721CC34B3E4D2BEFC1A80F92F1B5DE4BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:54.824{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-85EE-6151-9379-00000000FC01}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:54.824{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:54.824{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:54.824{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:54.824{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:54.824{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-85EE-6151-9379-00000000FC01}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:54.824{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-85EE-6151-9379-00000000FC01}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:54.809{5EBD8912-85EE-6151-9379-00000000FC01}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001045230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:54.324{5EBD8912-85EE-6151-9279-00000000FC01}30244132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:54.140{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-85EE-6151-9279-00000000FC01}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:54.140{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:54.140{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:54.140{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-85EE-6151-9279-00000000FC01}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:54.140{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:54.140{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:54.140{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-85EE-6151-9279-00000000FC01}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:54.125{5EBD8912-85EE-6151-9279-00000000FC01}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:55.955{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E9361BD8FE5EDEE48582CB59C13E25,SHA256=67C461C44779ECE970832551E2710812F825728543E41A7BF288D27E372805D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:51.962{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-32383-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:55.441{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C7DB4177156C8968A24D5CC487D96E,SHA256=1FA1B133508758FA2FD4BC28C9D886B4F0FE71332DE7485C3D23E8088B292882,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:55.439{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-85EF-6151-9479-00000000FC01}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:55.439{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:55.439{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:55.439{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:55.439{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:55.439{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-85EF-6151-9479-00000000FC01}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:55.439{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-85EF-6151-9479-00000000FC01}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:55.425{5EBD8912-85EF-6151-9479-00000000FC01}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:55.155{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=470480B9C8BFC36ADCF930484468C243,SHA256=1A8E43B922BBC1B63DB766334F39DAC2267FA9D7C8460CF6265AFFBD71EA19C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:55.008{5EBD8912-85EE-6151-9379-00000000FC01}52806800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000974131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:55.051{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32DCC03367EA526E9191F5D51909B93D,SHA256=547B98B6EE7F86A77A037C3301FA1217B999334B4AE90476C803E2589FF37AE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:56.975{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E91843EC6071FF715C1D1863896D41,SHA256=C8DAF8183DABC0E497DCFB691186BDF5E3360887A651530CCF2CA65E9A5C45C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:54.035{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-44455-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:53.737{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59138-false10.0.1.12-8000- 23542300x8000000000000000974134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:56.456{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9585A6E42C0FD51C2004E5AE344299D9,SHA256=3B216F3B74B20A60836A58E36AAE37B8F08CFFB155CE31658BD61D0D07BBB3FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:55.134{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52836-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001045262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:54.923{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52691-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001045261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:54.784{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65450-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:56.439{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=860A1934E1166F0DAA4966D7B233CFB4,SHA256=55F880C6906AE9686A4F69260F1A57671E4E81FD6E0F1661E1B96923D51AA3CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:56.240{5EBD8912-85F0-6151-9579-00000000FC01}60001092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:56.055{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-85F0-6151-9579-00000000FC01}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:56.055{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:56.055{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:56.055{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:56.055{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-85F0-6151-9579-00000000FC01}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:56.055{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:56.055{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-85F0-6151-9579-00000000FC01}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:56.040{5EBD8912-85F0-6151-9579-00000000FC01}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000974138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:57.457{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C0319368B88D37B1E36F5211055A765,SHA256=C7FC08BB5AEE7C2B1C976A299B25B018D603422F1091307569ADB272B258B164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:57.837{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9633CBEAD934A8E5FEF15DE5E9A8D07D,SHA256=50969DFC5CDE72F6CCAF2C5E666D3F318E4E96EEE7AD1F59D7C4BE7693874DF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:57.491{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:57.491{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:57.491{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:57.491{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:57.491{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:57.491{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:57.491{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:57.491{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:57.491{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:57.491{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:57.491{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:57.491{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:57.491{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:57.491{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:57.491{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:57.491{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:57.491{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:57.491{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:57.491{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:57.491{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:57.491{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:57.491{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:57.491{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:57.491{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:57.491{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:57.491{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:57.491{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:57.491{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000974137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:57.019{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEF3C7D66228B38ED9CD76B9A4AA5DFB,SHA256=3F25DE56638C99656973D4D08819E7149A55D458E848E54382CA80E015DE8C78,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:55.953{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-55646-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:58.800{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F266967DF0A01F30A7F6DA9D0518EEF,SHA256=D7F72E297213810174C49510486D8158C64A2D9A92BC713F04E18B11DA43A2D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:58.472{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39950C93AA581334F759FA3C09A3FC56,SHA256=373B13DECF35F3937F7052171B20049226DC9249F1CEDC222A4548A335D8CD47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:58.122{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D03E05B711942254D25B54D39945D8EE,SHA256=6815762088FF017C2A7F84E414FB93D1D2143FD3850B9DD0DFA76560BAA5AAE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:56.079{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-53565-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:59.691{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF0BA9D5D26150DCA171243EAF68504F,SHA256=AF8A0F21C2216E1ED85316E973A2462D8CD77972B646DE9C0FF1D11D8EA2337F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:59.136{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64267E7DB161404B8D65960AE632AB93,SHA256=DA3BE857C84110EAC73BD5DB9F3D51B1EC2CF144350571ED90F3261F67C53E35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:00.800{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=344992109E6C6D773611581CFB0EAC0F,SHA256=54E92160C0556DE9B378F77A0F358555E440D1C0A7E270540FF16E7D351B406C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:57.910{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-7987-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:00.691{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D794285CEBBC9A24E0A50D266B146E3,SHA256=55E6BC90278DEEB04448692C27CFB5FC67E544480A206592DD4C8BA79270541F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:00.137{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A02DD992DE17B15BE4A83FC388A8F051,SHA256=474B88520F5BB60B78E9C256B5653F2AB95AFDCB08EA4E440F96CB1628088F80,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001045299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:51:00.052{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x80000000000000001045298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:51:00.052{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Config SourceDWORD (0x00000001) 13241300x80000000000000001045297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:51:00.052{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_C073BBA9-345E-4F58-AADF-98D983B75502.XML 23542300x80000000000000001045296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:00.039{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4287MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:58.847{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59139-false10.0.1.12-8000- 23542300x8000000000000000974147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:01.692{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8807C29CA3CFE2DB0A911C64ECED639,SHA256=32999FEF375AFF80AD8D2F60D5FAED9AF9289EB15C582E024541AA3A4C5B205A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:59.766{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65453-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001045308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:59.766{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65453-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001045307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:59.750{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65452-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001045306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:59.750{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65452-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 23542300x80000000000000001045305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:01.137{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01C93431D2A3D76C4DF077B6EE2ED761,SHA256=7A3962707A67E0CAD16A25325E1E0BA1BE308326B473F48DA6C2E72BB3989E89,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:59.729{5EBD8912-7F30-614D-0D00-00000000FC01}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65451-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001045303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:59.729{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65451-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 23542300x80000000000000001045302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:01.075{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E15DA11110FC24D1B832B2158248945F,SHA256=F83AA7A0DA969FC178FBEED9833A5ABE62B42CEE0747BFD20C70F4EA87547B7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:01.038{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4288MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:50:59.774{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-18769-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:02.757{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=304C07D087B7173F8DBFF4DD3232A32F,SHA256=B494679DDED89EAB6F2EE9BE69C775A701D18ABC115049B3F3AF1237CEF33129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:02.710{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB7E9C0B9D0FD03F4F00D2AEC0F6A8C3,SHA256=CDDC3AFFC6BA7546287E3382C76AB65AF36421A234A347E5DA9EABB7F5906864,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:50:59.913{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65454-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:02.140{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47D55E910AF2B34F85D10005BF72349,SHA256=79085A862B0310F942104686A71315A8153A39CE1C3DA69A8D38B10BC7C7DAB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:03.726{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D501AC596B592B3E7D5D12F3291C5A90,SHA256=6B91DB067B1AA03C2B1C8D686F8DC5948588DDB66E1B7D06EF22005622F1E9CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:03.172{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBFAF59CF5C8C88108BCD9B2254C0E68,SHA256=29CA89639D962110C07830D701191BA1DA328D742C1444E19E347A2D2A6C4D5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:04.742{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B5C112977638542E7CC2316039C347A,SHA256=B607649F4D27C0396C67424551AD108B1A2155C1885FED65D5F6614CB5AEBEB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:04.742{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825FE8F18C62A97D3A303BAAEADA5501,SHA256=8BC9111C0FBB6ACE2675D7FA154EDDFC5D10B42E918B2706F1034BFDE1A560F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:04.869{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5A0BF772756FF2C82DD31A642822FC0,SHA256=27AE9331CDFFB58684FD4E4016C4FB87185309683B0836263E1EC6C1BB51F360,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:04.204{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5020707E15E4D8512E53329D5B38EAAA,SHA256=9D2A44111B7A224B6C519860A407760DF096DD2EC16D7D285EE855A2A707C19A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:03.000{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58313-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:01.709{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-30156-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:05.789{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98C1089E160A7E753A66C04D9595F455,SHA256=04E457033324C0890EC406ABC98E13C5FC9895E49775E4B6A7210423D97FF008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:05.757{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4AE9B376413DAD1A8138798039FB7CE,SHA256=14C16AF4BD88EFA50DDC723F7569C36C462CB514BC713284316B989604B5B8D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:05.220{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=089E2AF53645C2536A2C9C7E7D3FFE73,SHA256=A08A12851CE39313B42FA9EEC5CA18B8A75AA219FD066A76249E0EE7FE6BE9D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:06.976{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E15B55E3D18F5B30CA15115241992FFE,SHA256=2BC09BBB96439DE73486E24ABEA501947B834D6135A2A4D3DE046D19B8F490E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:03.701{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-41665-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001045317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:06.251{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B342FD894F96510B0C4843DD73E72C,SHA256=DEE527776C6325D632D6AB725005F37077A51C95AFBA6AA0108729BB7F970B03,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:03.238{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57789-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001045320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:05.880{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65455-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:07.271{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00BF0ADEF5903291166998EAAB6D65BE,SHA256=FDA45ACCBE41DF1FDB2DBDE0F39E0FB58BA6A7F75424F589BF2533CB080BF421,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001045318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:07.219{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXEC:\Temp\New Text Document.txt2021-09-27 08:51:07.219 354300x80000000000000001045323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:07.211{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61501-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001045322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:08.818{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DB7D8D6C02EC352875A3D0609F01F93,SHA256=8B8003B5467B04F7F7C792DF6BEF60F20ED6144B6EAA39D5B12BEF2EDE3DCEE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:08.287{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F76BC7CF510D2DE0927C4FC83D75861D,SHA256=4014D067F6883020A418ADA356B792CB875A94305BCFB464E02276AC609DC913,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:05.419{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59760-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:04.819{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59140-false10.0.1.12-8000- 23542300x8000000000000000974161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:08.007{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C00F8FB1C502850FC6438920718F08F0,SHA256=6BE58DE1F701374B506C349C393206ECC13FF9A71F8A95660F4AEAA5615EAB73,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:08.236{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62267-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001045325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:09.849{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E41FAC4B0AA69C3165A6499A7A20274F,SHA256=07DB8C999CFCC4E2CA94199CD400D0D54A09109365EF4C3F8E39DAAB59B3BA3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:09.302{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=340ECF13B7CD638ADCC6C50B7E6ECA9C,SHA256=E894729759BD14A92E054F329AD3F4E88AA17D6CCFCD7CD2AAA2907E7FA1D970,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:09.163{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90D4866D8EAF54337B9DD92E73AF6279,SHA256=E3E02C51F85C29FB9D754C3FC44300BBAEF7CE0C49DD1DD98F80D9294341A379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:09.070{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2F4598497458246E49D54E412140A97,SHA256=6B4F388AA896DCA964B1F7B0DC57BC0E95D8AF0CD8B3944E97B28A551B9A7089,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:08.130{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-8640-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:10.304{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1BCFA4E0CCA8309A699556F365180D8,SHA256=1BA3951CDA2901256B3EB50D4C53FD079BCB6684C9CFCFE985EA9AED7DDCF68C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:10.348{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49CB90C98C063A768E790D568B3627EF,SHA256=BD917E0EDDB30084365588ED978086F2FE279CAF43297A54F2B46926DE7358C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:05.719{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-53416-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:11.538{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FEB3A95059390FF15FA9D07943A9F4,SHA256=532F88C2E44EF07EC286A3335A36D0C8F57F0FF5E53360D383C837C4715CFAD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:11.385{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6C344CD62348A34F3F51E733DC75E47,SHA256=DA8D02F3BA3BBF818C3BBB339AC2494B99DA9E405E37D6A73AE6A84D466629B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:11.164{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C67F058222DA699FF665DF96F4AD1298,SHA256=F6E3E129AF62BFAE2299FAF3FF139D0FF710A0B8EDC270A449463DF571108CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:12.400{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9460EF97A237F489864192C1DD5D9DE,SHA256=9E081C4A9B0A06BCD7AC351804F7438CD66770D39D20F40325D1BB0ED0DC27ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:10.090{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-20070-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:12.539{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=688261BFA5927338BD6A5F1CFD79556A,SHA256=9A68647E68DE832BC49B00E79EB5B22E4FE73447642846AEA3C4B256888D6F29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:13.415{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDFFBA82498C964D254EC2BAC6B12A10,SHA256=4EBA90A7C558DAD48A9D59E3B2942458523F6F50B09917A2196C187554BCCE0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:13.554{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E1C77CFB4CED0B238B4DE081812105,SHA256=43F31D4CF45AD1928B95E1FD5E60F920C3873826D5F9CBE096124C5B54EDFDCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:13.226{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:13.163{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DA1E0134467BFE941B77B03B2C41D70,SHA256=FDA0576C386DFEE166C4BCF5CA0A0D1801B1F09B2FC5C8F78938F470F1E42C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:14.554{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0FD215FAC8E0A10D255B4BCBA95A16E,SHA256=6A2A399768DC57E11681A5EBBA9A426CA8425C446BEBE6ADA3CDD5F6F28310D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:14.746{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=160F967DFB1F3F124F927D2F9CCCE13A,SHA256=6CCFAC79526DA058976413F12FD0CE1705321F38D65088601854DF4C7832F240,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:14.415{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E179913AD7C0F4D9B217A81C3E27CE1C,SHA256=1A5E2AB3A27E8B7FF6DC20A15362DF6BE97188DA8AB93CE551354A128C0A6E54,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:11.855{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65456-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000974177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:10.789{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63117-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:10.726{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59141-false10.0.1.12-8000- 23542300x8000000000000000974182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:15.570{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C9280340D51A5F01BBB9845328D402,SHA256=151399587DEBF53E948208E641B48A6A4C1470EC0CBCC123B8DABE207D956C1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:15.430{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E7952ED5F89F5350E8EA068222A622B,SHA256=4DE147353449BA4BC51830EED5E8D4205CC2CDEB05A18605C4DB1A8CF56A8535,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:12.110{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-31804-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:11.867{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59142-false10.0.1.12-8089- 23542300x8000000000000000974179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:15.132{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8ABE64C46C6CD3D158C8F4BD0C4F8A9C,SHA256=879C05093424D26A8A537543073ACDC9B63716885C51E558A9F64EB2507FDCAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:12.355{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63380-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000974184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:16.570{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1402B5E6A4F203066EF726D00A45A501,SHA256=371F4247DA54D7C0E42B48FF70AD65B7AC924CA7A00578EDE1441FCE73672EA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.498{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\aborted-session-pingMD5=4F90892D9866A1E8296E6D2298920DAA,SHA256=C836437C0CEC0B59C1F41091D79FD3E9AB0B19223E5A7CCF4705A2FCC04B98A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.445{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F9A65D1AC12F0311FA36D1208ADD0B,SHA256=111AF3B85786CF92A6235561EF7B3012DDDDFAF978BD3EE918F30D0E2310DC13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:16.460{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8BF496D4FE9278031B63339680434DD,SHA256=C7827DBA2FB4F881CA574FD86FFDE521B060CCD1AE3EC802ADAE74354025A585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:17.663{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE8078255786380253F6DEB978D4C547,SHA256=B4A50AE5575D66CD41FEAA7ED3ED127AD3202EB91AD937F286D0B466B6F91EBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:17.459{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92A5A14373E06F90E2B4CCCCE7E29F8F,SHA256=B776CCE95A5E6CB3602AA071EA5587975D15C574748C76391029C20E59A47C3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:14.118{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-43427-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:13.750{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-51057-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001045338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:17.129{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E65BF0D9057A433816F1C5FE16401E3A,SHA256=15670BE7335583025D45B46D26A7579F80F01D816A30275F5CDCB011803422E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:18.710{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=997B10AD7325DE4C91BFF0858B7A0395,SHA256=5349AE509C2CC0B28303CF88879CD6D098F304D4219D439D136D43A88AA11073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:18.578{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215CDAE7D5D67FB121434280CA96911A,SHA256=D38E14B501659E29BB60BB5B51F04E7B69067257EF1EAB5DDC30433E71CCE23F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:14.683{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-51897-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001045400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.948{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51444- 354300x80000000000000001045399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.945{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65384- 354300x80000000000000001045398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.944{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local52712- 354300x80000000000000001045397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.943{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51325- 354300x80000000000000001045396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.942{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local56526- 354300x80000000000000001045395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.936{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local55712- 354300x80000000000000001045394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.934{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57741- 354300x80000000000000001045393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.932{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local57749- 354300x80000000000000001045392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.931{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52403- 354300x80000000000000001045391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.927{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51096- 354300x80000000000000001045390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.926{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55976- 354300x80000000000000001045389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.924{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local57556- 354300x80000000000000001045388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.924{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54996- 354300x80000000000000001045387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.922{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local52185- 354300x80000000000000001045386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.921{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64866- 354300x80000000000000001045385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.919{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local56628- 354300x80000000000000001045384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.916{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local58770- 354300x80000000000000001045383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.913{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49839- 354300x80000000000000001045382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.911{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local54022- 354300x80000000000000001045381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.911{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53634- 354300x80000000000000001045380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.910{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54350- 354300x80000000000000001045379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.909{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local64460- 354300x80000000000000001045378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.907{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local58183- 354300x80000000000000001045377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.906{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54865- 354300x80000000000000001045376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.904{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local54354- 354300x80000000000000001045375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.900{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local57655- 354300x80000000000000001045374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.898{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65359- 354300x80000000000000001045373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.896{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local58598- 354300x80000000000000001045372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.896{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-429.attackrange.local58598-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001045371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.894{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55345- 354300x80000000000000001045370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.894{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55345-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domain 354300x80000000000000001045369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.876{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65459-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001045368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.876{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65459-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001045367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.875{5EBD8912-7F30-614D-0D00-00000000FC01}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65458-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001045366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.875{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65458-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 10341000x80000000000000001045365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:18.376{5EBD8912-79C0-6151-E577-00000000FC01}42966688C:\Windows\Explorer.EXE{5EBD8912-8606-6151-9679-00000000FC01}7024C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:18.376{5EBD8912-79C0-6151-E577-00000000FC01}42966688C:\Windows\Explorer.EXE{5EBD8912-8606-6151-9679-00000000FC01}7024C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:18.376{5EBD8912-79C0-6151-E577-00000000FC01}42966688C:\Windows\Explorer.EXE{5EBD8912-8606-6151-9679-00000000FC01}7024C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:18.297{5EBD8912-79BF-6151-DE77-00000000FC01}43084552C:\Windows\system32\taskhostw.exe{5EBD8912-8606-6151-9679-00000000FC01}7024C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:18.297{5EBD8912-79BF-6151-DE77-00000000FC01}43084552C:\Windows\system32\taskhostw.exe{5EBD8912-8606-6151-9679-00000000FC01}7024C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:18.278{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-8606-6151-9679-00000000FC01}7024C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:18.277{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-8606-6151-9679-00000000FC01}7024C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:18.277{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-8606-6151-9679-00000000FC01}7024C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:18.276{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-8606-6151-9679-00000000FC01}7024C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:18.260{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-8606-6151-9679-00000000FC01}7024C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:18.260{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-8606-6151-9679-00000000FC01}7024C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:18.260{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-8606-6151-9679-00000000FC01}7024C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:18.260{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-8606-6151-9679-00000000FC01}7024C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:18.198{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD333C3628FE0CADAA279F29FA974B66,SHA256=B2930A47559B4822DB7EDB17422967173B5F77AD0D08045A358B52F69A135DF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:18.182{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-8606-6151-9679-00000000FC01}7024C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001045350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:15.806{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65457-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001045349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:15.806{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65457-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 10341000x80000000000000001045348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:18.129{5EBD8912-7F30-614D-1600-00000000FC01}12682136C:\Windows\system32\svchost.exe{5EBD8912-8606-6151-9679-00000000FC01}7024C:\Windows\System32\NOTEPAD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:18.129{5EBD8912-7F30-614D-1600-00000000FC01}12681316C:\Windows\system32\svchost.exe{5EBD8912-8606-6151-9679-00000000FC01}7024C:\Windows\System32\NOTEPAD.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:18.076{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:18.076{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:18.076{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:18.076{5EBD8912-79BB-6151-D077-00000000FC01}46124936C:\Windows\system32\csrss.exe{5EBD8912-8606-6151-9679-00000000FC01}7024C:\Windows\System32\NOTEPAD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:18.076{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:18.060{5EBD8912-79C0-6151-E577-00000000FC01}42967080C:\Windows\Explorer.EXE{5EBD8912-8606-6151-9679-00000000FC01}7024C:\Windows\System32\NOTEPAD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+17c27c|C:\Windows\System32\SHELL32.dll+19ea38|C:\Windows\System32\SHELL32.dll+284683|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c520 154100x80000000000000001045340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:18.068{5EBD8912-8606-6151-9679-00000000FC01}7024C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Temp\evil.batC:\Temp\ATTACKRANGE\Administrator{5EBD8912-79BE-6151-7ED6-4A0400000000}0x44ad67e2HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000974192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:19.710{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3739F266437AE35763E61D324167261,SHA256=DDC1950B45EBC024BB9918AF8A4F2E7784E33B90F7F605ABEB7F9755E1D7CCA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:19.613{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F697B05B373186C76C1BC9676CD2E35A,SHA256=61F784C616F45DBED7E4C37F2B65AE4FB6C74338A7F8FF9EE7218E0564EBA1B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:19.460{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B22269633DAC9533F6CCDBA7F57624F,SHA256=BE846B152A3E3538813A0079017E819F5095BC16C3225E1CD5350CDB0CAB3EF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:15.866{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59143-false10.0.1.12-8000- 354300x80000000000000001045405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.955{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local54595- 354300x80000000000000001045404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.953{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local64894- 354300x80000000000000001045403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.951{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local56043- 354300x80000000000000001045402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:16.950{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51758- 23542300x8000000000000000974194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:20.726{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=149C47BAC236562136FA62A669D5A88F,SHA256=1B5F1D58423230814348D98B34373C8996452CA0AC3805CB68680DAC6CA0855F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:20.660{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5480AD9B2247E7E18D54D32AB920F9,SHA256=E9E624A0C974AF1198100CD7AA3140960D7E4F0D0C87FB2ACFA0A9D2E59314ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:16.433{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-56859-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001045407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:17.767{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65460-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000974196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:21.742{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35392868222BC56D432CF108DBE12D40,SHA256=26A00F86B0397030690F749BBDC37E9E7FC08E0434C2584609290812DF29148E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:21.678{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DAC4466F3FFE4D4BF7BFDC9485C7E8B,SHA256=86D8AB995B90E42C1CA4361CE2E94A7392ED82658A3CE065E3C79D3B75E9FB34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:21.507{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D8F72BECC5A57370B06BAB393F927F7,SHA256=3C412F1C8DFFB79DDEE627040C244BDA3F8CB5632530EB9B451BAE52F2CBEFEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:19.866{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local54222- 354300x80000000000000001045411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:19.865{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51221- 354300x80000000000000001045410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:19.862{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local65036- 354300x80000000000000001045409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:19.861{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54971- 23542300x8000000000000000974198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:22.743{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7996D81CBFEF792AB0D78A914244B5B,SHA256=5D796BD5D77FBA9AA372D0506E188668D9D2262FD8C0519D3FCD4514B87BDAB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:22.696{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1815265A37FC9CBE6510776F430DE295,SHA256=F24E78D23D56928193B23300A372DBAB31AFA235B65D0E4D3D1794E21ABFB5A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:22.696{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D02205C2672EBF6847495CCA284053F5,SHA256=B44DFF61D44C94E519A99DBAFA2D40AE3CBBC5B13FC572EED6F3CF8A489A999B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:18.377{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-9529-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:23.759{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC132715A66615F871DC00BD56543ADF,SHA256=44D38145B993CAED493AA910E443F27F78438DE1016D78F3B5EDDCCC3707912D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:23.711{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D2B1A3F2EC9E73B542E0408FC944A0D,SHA256=B84DF27E8D3DA17D074A9B44FCCACC9E9C7878F7D22361CD473891B93262DC58,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:20.782{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-55753-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000974202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:21.884{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59144-false10.0.1.12-8000- 354300x8000000000000000974201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:21.511{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-21452-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:24.774{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22FD40A8DDC0A0017566421FD6600D0,SHA256=2ED34AFFC4790828984643476FDC3683F3AAD1656B77DB1F91A99BF58DA4D7A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:24.713{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C845989EF3D11CD113506994D457C5E5,SHA256=7DE87655E0EDD3E383EB2D975F1AD75EEF1FC57ABEA0292EC08374A90531E449,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:22.935{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65461-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:25.728{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0BB03939B9078AA7DA729440F04064C,SHA256=5E37DB3A3994084D14935183E9C5F03A2F8398C829D253613AD60BD7FF85382B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:22.598{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53943-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:25.790{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AB33B6A90B3C1C1F7D8255CC2141AF8,SHA256=40CA2887084E33F13E392BD3637F781C560CB9D318AEFECB3B57BD82078EC7A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:26.743{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80600CE5E9E1D26281AC8FDD2D1D31A9,SHA256=35A6224A0E6EC71A1056325C0C3D1EC6CEF81D46E5E1EC45819BF6CA9D42A984,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000974234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:26.977{69CF5F33-860E-6151-3579-00000000FD01}35123148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000974233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:26.884{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F4FAC21CC19529FCA71BDF9F75EE5EC,SHA256=E0CA94708275CD79A0DA11661904885590209E0B093DF4F62DD335D9F9445B38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000974232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:26.744{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-860E-6151-3579-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:26.744{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:26.744{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:26.744{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:26.744{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:26.744{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:26.744{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:26.744{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:26.744{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:26.744{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:26.744{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-860E-6151-3579-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:26.744{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-860E-6151-3579-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:26.728{69CF5F33-860E-6151-3579-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000974219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:26.321{69CF5F33-860E-6151-3479-00000000FD01}25321976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000974218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:26.212{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E12DC344A1AAB6EDDE899C6D4DBBC460,SHA256=4643907B9AAAA8D22661CEEC190D071ABDC84132B1BC6D4234394CB78C4F8FAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000974217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:26.056{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-860E-6151-3479-00000000FD01}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:26.056{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:26.056{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:26.056{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:26.056{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:26.056{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:26.056{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:26.056{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:26.056{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:26.056{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:26.056{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-860E-6151-3479-00000000FD01}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:26.056{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-860E-6151-3479-00000000FD01}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:26.041{69CF5F33-860E-6151-3479-00000000FD01}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:27.995{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2392F95C95BF068EF05287D4B57E6083,SHA256=9F62ACB0D8ABFD0EC85D93D48A03E48F78C065A3BA9B0B6EC3C736C3B806BE01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:27.995{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F1247C00ED8C32F0EA70FF422EE3C0F,SHA256=0AAA65925F75E2DC94067E38CE721061F94AA476FA764E4466D06D8D3C395700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:27.757{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=554F243D88270D19315DE6497E761E49,SHA256=C2B1CCD2E8F6575CB87B9D8B311FCC6A727725B2AAAF51C9947C7A436D633440,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000974261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:27.946{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-860F-6151-3779-00000000FD01}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:27.946{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:27.946{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:27.946{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:27.946{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:27.946{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:27.946{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:27.946{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:27.946{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:27.946{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:27.931{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-860F-6151-3779-00000000FD01}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:27.931{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-860F-6151-3779-00000000FD01}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:27.931{69CF5F33-860F-6151-3779-00000000FD01}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000974248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:27.806{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B91DD5186F224D7132E9D4970790593,SHA256=EB5C1AD003FC966A0D764C4DA530679926A9A62F213C71F59F7F50FD60A960FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000974247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:27.259{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-860F-6151-3679-00000000FD01}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:27.259{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:27.259{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:27.259{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:27.259{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:27.259{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:27.259{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:27.259{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:27.243{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:27.243{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:27.243{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-860F-6151-3679-00000000FD01}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:27.243{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-860F-6151-3679-00000000FD01}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:27.244{69CF5F33-860F-6151-3679-00000000FD01}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:28.776{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8490C3BDE8395BD295BD23F0CB6A7537,SHA256=6B5EFF02F653771533E341B4655BAF575402D8C5303692B340F0B0992ABEE50E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:26.344{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55561-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000974277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:25.464{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-49446-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000974276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:28.634{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8610-6151-3879-00000000FD01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:28.634{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:28.634{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:28.634{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:28.634{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:28.634{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:28.634{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:28.634{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:28.634{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:28.634{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:28.618{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8610-6151-3879-00000000FD01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:28.618{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8610-6151-3879-00000000FD01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:28.619{69CF5F33-8610-6151-3879-00000000FD01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000974263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:28.149{69CF5F33-860F-6151-3779-00000000FD01}12482816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000974262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:28.056{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27C19591B4A001969D1845E0F1F0FD89,SHA256=5EB1F0C93498B23B3376F01FBA72CD79750A4E5FDF8805254383BB1C12D36A54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:29.793{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8844D52D65A510A746BFC61D1B862716,SHA256=8F8373F364036FD59A552E50A7F191ECBFB1DB017063645873202CBE64EDFFC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000974293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:29.384{69CF5F33-8611-6151-3979-00000000FD01}8243620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:29.212{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8611-6151-3979-00000000FD01}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:29.212{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:29.212{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:29.212{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:29.212{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:29.212{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:29.212{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:29.212{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:29.212{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:29.212{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:29.212{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8611-6151-3979-00000000FD01}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:29.212{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8611-6151-3979-00000000FD01}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:29.197{69CF5F33-8611-6151-3979-00000000FD01}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000974279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:29.196{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C01551B104D87633C924D14BCCE3E6,SHA256=D1E66056F6CAE1905C97227BA7352735FBEDE3FA1D0662FFFBE907826FF85291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:29.165{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A421203F7E79BB8B7F96A51AB0FED850,SHA256=B2A1E08727B28D703721B642CA5AA76093BFF78CEF38108306C4E22BEA56F8E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:30.808{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=165982A779DC6FE4BEBA234F80DBE516,SHA256=84D08DAD73D4237BA3A659BA2A6E29BB78C5378F4908098B520A510AD8B503BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:27.252{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-1675-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:30.228{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=058F1DA958E052A47001F055A1617674,SHA256=7AA2D2E289E9B4253BE3D04816273B3C21EC7007DA88E4AA003B8394FC31DF9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:30.640{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2392F95C95BF068EF05287D4B57E6083,SHA256=9F62ACB0D8ABFD0EC85D93D48A03E48F78C065A3BA9B0B6EC3C736C3B806BE01,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:28.999{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63021-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001045428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:28.848{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65462-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000974294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:30.212{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6924FCF46F0C1FE39B059C0F6E53AB7,SHA256=88F96AFCC979B99B5EBA7B7F8ADA101386E247FC700929CC71F66AA05083B490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:31.824{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC2E2E6054A602BA555C1307F415C7FA,SHA256=C3BE39D11E7D593ACB259DFE355737E1EA2E5D1B223C33E94874BEAB15EF8FD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:31.477{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50A5DAF58D80183BD417D244241DA9C1,SHA256=7B00D072A981D7EE70815693F39ABCEEF947924B0E3CBB9B9D766505F001B3FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:31.462{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA354C9C2B803B0DEE4F2585E1718DE9,SHA256=6642C7AD663A2CF72DFE515CFE8079EF008FD95A1D28E8B52770B3408220A69B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:31.639{5EBD8912-79C0-6151-E577-00000000FC01}42961920C:\Windows\Explorer.EXE{5EBD8912-8606-6151-9679-00000000FC01}7024C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:31.639{5EBD8912-79C0-6151-E577-00000000FC01}42961920C:\Windows\Explorer.EXE{5EBD8912-8606-6151-9679-00000000FC01}7024C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:31.639{5EBD8912-79C0-6151-E577-00000000FC01}42961920C:\Windows\Explorer.EXE{5EBD8912-8606-6151-9679-00000000FC01}7024C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001045432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:29.233{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57303-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000974297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:27.837{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59145-false10.0.1.12-8000- 23542300x80000000000000001045437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:32.824{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02777FEEDD44AB89D0A0D6600A5BB4FA,SHA256=FA4AAD56FB63A1044F5E3DC5CCC8B0DBA72C39143D333DA535DDDFDAEA7832B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:32.698{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B63300BEEBB7B897B30311C7A0F2D49,SHA256=3AD3AD761AEA8B726FAC3CF894260CA14227FC84A08474089BF3A9F4F7F7DC90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:32.399{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B4449DA8D9F858A1944E916C11F27060,SHA256=D3E83D4FD249B12D304CD6DDAB38A5677EA08EE14513429F9A980B9D6110F209,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:28.691{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de55667-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001045438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:33.854{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8CCD67913796F910BC36FD7A806DB83,SHA256=784CAFC11EEF99D9675C4E30247E359AA867BAB2F0FDCEDAB0263751E5F74C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:33.716{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2457AD5E9D2ADABB7292B5BD348AF6E2,SHA256=C22266EDC8187E339C65C00903B778A6C8D0028BD84ED08129EFB10E3C2B7F3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:30.817{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com58724-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:30.307{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-62984-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:29.391{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-13740-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:33.122{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C98B4B5E837ADA0CF3CF66599E49E27,SHA256=A934C33E358945D1A4E1962A9359090B863DAE539A3AE017A4B687F45B8FAEFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:33.106{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4288MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:34.858{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F8C8663140983CA8FE528F46A54C6DF,SHA256=9AF31B82488ADCAFFF7AC828581EC7B2471DF8463C477779DE759FF84EDCCC50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:34.872{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFCECDE305806AE4D75DBDE8FB90792F,SHA256=0753567F091F5CC83B53591E450160713D51B210F68FA3AF854AF8AF73ACDB5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:34.640{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DBC700BF650EFD8969066FD15B9595F,SHA256=E0F6C2A31C303FD0E026B58F0B8AD4082389D899B946977628C543AA8ADFA5E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:31.516{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-25627-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:34.108{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4289MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:35.874{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F084AD0DF8AA8FAED8082934B763785,SHA256=C3B0E2C202DD30BAEB0BA8D05264AC760CB685BB74D170240EDF306BD2F5144C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:35.891{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7F02F475D32FE6763CE4BFBF5FB5594,SHA256=7487CDBD0BE965D6F873AFCB479A87900E2C74F1F8EC5E4047C9F9918BB008BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:33.865{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65463-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000974316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:36.905{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FCE704D9D05BB2ABAA8FFFB269E2BE0,SHA256=EE52372C927D17130A03FD83A042FD2123C8C85349846F019A79B0DB1A0FC08C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:36.922{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A981C04FDF5935FEFE8DC84A85EEF63F,SHA256=8F89668D5F1056F681A61468A005F88567E12D5A4F1A714D437F12D086F2B78B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:32.886{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59146-false10.0.1.12-8000- 354300x8000000000000000974314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:32.192{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com42398-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001045445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:34.680{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com45360-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001045444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:36.291{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AD891F4094C3F98EB40CC60E05876CF,SHA256=3B241989A76AA7CE6A226241771A840C9E8DF287CE8D4A2C81BCFA10878A6EBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:36.291{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEB0CBD8EC19185F46CEA6358B7E6362,SHA256=BF553128B39B0A0C04B6A3E93539211C0CB25A6C165786120C8D6BE9E5A6ED48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:36.173{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:37.905{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34DDA124A3AC7EAE15D7FA00EC4DEC5F,SHA256=9384E7E99F65254C1F6FC56FA4D31F7A343E51D27EE05DF9211A1E2C87629CD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:37.956{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EFD38C2C1534AB22850BC2F9439C949,SHA256=937FC18D7660129A24E4DC77DA4543F412C0088D975AE7DD5C85322F2B7A3589,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:34.571{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-38487-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:33.860{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60794-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:37.030{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D34837C166B06CB452CBE2B3BA22CCF,SHA256=61F1DCE2188C822080C3CCDF43EC5398C2668F8994DD306642D3E7BC84915B03,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:35.845{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65464-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001045447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:35.205{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.24.1.102-59706-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001045457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:38.976{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D956EDBD8D8C6E1326A316421C20B821,SHA256=C8A969EA792F85CB601D9984252FE99552D0D71C5406FD19B0BC5CA6E2AFD1DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:38.921{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90A83A8EFB4D88CFF492EEA1D4D2D916,SHA256=2521FDF1B1740743F747DDD880ECE836CB6FFC3E0C3A4FB34B137CFD44EE4DA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:35.345{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-53379-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000974333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:38.046{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-861A-6151-3A79-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:38.046{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:38.046{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:38.046{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:38.046{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:38.046{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:38.046{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:38.046{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-861A-6151-3A79-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:38.046{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:38.046{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:38.046{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:38.046{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-861A-6151-3A79-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:38.031{69CF5F33-861A-6151-3A79-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001045456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:38.877{5EBD8912-79C0-6151-E577-00000000FC01}42961920C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:38.876{5EBD8912-79C0-6151-E577-00000000FC01}42961920C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:38.876{5EBD8912-79C0-6151-E577-00000000FC01}42961920C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:38.855{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:38.855{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:38.855{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:38.855{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:39.992{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51440786140A4EFEC77EE69C64B78CC0,SHA256=7859B0263542B581DF1832D51AC84F6F49368CF02C1A34863BC07C55AD6A4A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:39.937{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D767E5230AF95EFF49C69876CBEA06FA,SHA256=B4B80A64564659FD5B9109150FDF5D46B6BE8FD9ACA9BC7DDFC6285C9C20AB98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:39.093{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1D9101DC4250A41707CE5DC789F2D57A,SHA256=4151CD0A52EA546FFDB145E56CA6BE46400B225C59C2300ED6E2AA14A319E7F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:39.046{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E4039F847635FBE16A035A54CD487FA,SHA256=AA8403F71274FF18EDAD3ECBFDC55FD77780722EA409EF3801C8A49E4C44DD88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:40.952{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A1B52563BC39C3E7E98AE382E08582,SHA256=2686EEECB02A7348D479BBA345EFB8390EBBB790E1CA6FA24DC35F6E50C02FC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:41.952{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B861CBC55217AD7DA33EF5FB7829C8,SHA256=DA7001ACA83AA067C9E6F799DB4A96246C2CB3069E74FA9A431513FB18936360,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:38.780{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59147-false10.0.1.12-8000- 354300x80000000000000001045463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:39.799{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65465-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:41.838{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EC2468DE718A4C5118CA3A39468CAE1,SHA256=F10FF5E4E834A46284962EA2DFD2C7DEBDF51746187B3C816C29A2254EF1FFD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:41.838{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AD891F4094C3F98EB40CC60E05876CF,SHA256=3B241989A76AA7CE6A226241771A840C9E8DF287CE8D4A2C81BCFA10878A6EBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:41.007{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C5E2F568318CB9D6DAC8FBFEB56F31,SHA256=0AEB30C16D9F289B807A9D817D43E011713437ABF5B56D7BEF7CEFCB2AF8718A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:42.957{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC61E06DAE53204FAC6E83D3D42AC81B,SHA256=093E37971CCA36D4AB6BFDBBD673559304E9A60DB3EAEDA0E929586593C554FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:42.957{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A86BEACF980BCA6C94EE35BE6D57FE6,SHA256=D4FB75CE8244CF2FD90E62141FC1FD37EAE764F8D0B62E5E3B587B77F4C5F676,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:39.913{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62653-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:39.550{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-7857-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001045470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:40.835{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse93.89.190.250-55310-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001045469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:40.718{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64422-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 13241300x80000000000000001045468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 08:51:42.075{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exeHKCR\txtfile\shell\open\command\(Default)"C:\Temp\evil.bat" 10341000x80000000000000001045467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:42.074{5EBD8912-79C0-6151-E577-00000000FC01}42961920C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:42.074{5EBD8912-79C0-6151-E577-00000000FC01}42961920C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:42.074{5EBD8912-79C0-6151-E577-00000000FC01}42961920C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:42.022{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C6DBEBE40C25DFDFAD88DA97F49518D,SHA256=F6B4067AFF8ADC5CA8EF050FEFC78DD0338CC2A29F60D984F248512351A3D84D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:43.972{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE8A53E545B4A2CE1B78CAE1E6B4259E,SHA256=940E366B3D3CA3D0A365EB98DE71FB629080D148D714F124C474D3B0327CA77F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:43.091{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB4D63CC8F6B487B807A5832709F788A,SHA256=4A26742AA21E311EB7D204B0A4B8D3A7CCFF6A04E055E26E721D71F5D0C38A61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:44.988{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C16E0C8320372B6D98C6568306E231E6,SHA256=346829F86713C442E176BB286449E9C2FF0BFA31724E6BCB6A29C4C5999953BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:44.938{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8620-6151-9779-00000000FC01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:44.938{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:44.938{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:44.938{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8620-6151-9779-00000000FC01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:44.938{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:44.938{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:44.938{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8620-6151-9779-00000000FC01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:44.908{5EBD8912-8620-6151-9779-00000000FC01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:44.106{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6651A899981A307023E4DC04636D1CE5,SHA256=F9BD263F2707A6F44BF7345CC4ADA29B1E46EC553E6AA4BE7951E85C322C5CEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:44.597{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF1728D5A9FD07520B9BA1A4D3D05D17,SHA256=100B71CA915164299D9249EEFDF492702427AB2C10CC67663E03D55E5D8DE5A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:45.988{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCAB402929AF4E767BA6E3A65295B53A,SHA256=833B79037C83BD58FA85464BC24023BAB70C8472FCAC9CE690C29AFCCAB981E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:45.938{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EC2468DE718A4C5118CA3A39468CAE1,SHA256=F10FF5E4E834A46284962EA2DFD2C7DEBDF51746187B3C816C29A2254EF1FFD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:45.622{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8621-6151-9879-00000000FC01}4336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:45.622{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:45.622{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:45.622{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:45.622{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:45.622{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8621-6151-9879-00000000FC01}4336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:45.622{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8621-6151-9879-00000000FC01}4336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:45.607{5EBD8912-8621-6151-9879-00000000FC01}4336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:45.138{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DCE315C6A1022FC8827D19F94798B35,SHA256=2EFAB8CA068FB68F807800A27EB2E80CA071BF18DCFE8475825DE27E6CC23248,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.905{5EBD8912-79BF-6151-DA77-00000000FC01}21522248C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001045525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.905{5EBD8912-79BF-6151-DA77-00000000FC01}21522248C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001045524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.905{5EBD8912-79C0-6151-E577-00000000FC01}42966540C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.905{5EBD8912-79C0-6151-E577-00000000FC01}42966540C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.890{5EBD8912-79BF-6151-DA77-00000000FC01}21522248C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001045521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.890{5EBD8912-79BF-6151-DA77-00000000FC01}21522248C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001045520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.874{5EBD8912-79BF-6151-DA77-00000000FC01}21526572C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001045519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.874{5EBD8912-79BF-6151-DA77-00000000FC01}21526572C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001045518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.874{5EBD8912-79C0-6151-E577-00000000FC01}42964608C:\Windows\Explorer.EXE{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.874{5EBD8912-79C0-6151-E577-00000000FC01}42964608C:\Windows\Explorer.EXE{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.874{5EBD8912-79C0-6151-E577-00000000FC01}42964848C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001045515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.874{5EBD8912-79C0-6151-E577-00000000FC01}42964848C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001045514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.872{5EBD8912-79C0-6151-E577-00000000FC01}42961920C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.871{5EBD8912-79C0-6151-E577-00000000FC01}42961920C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.852{5EBD8912-79C0-6151-E577-00000000FC01}42961920C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.852{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.852{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.852{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.852{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001045507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.852{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001045506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.852{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001045505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.852{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.852{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.852{5EBD8912-79C0-6151-E577-00000000FC01}42966416C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.852{5EBD8912-79C0-6151-E577-00000000FC01}42966416C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.438{5EBD8912-8622-6151-9979-00000000FC01}56124140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001045500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:51:46.237{5EBD8912-7F30-614D-1100-00000000FC01}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b37c-0xe6edc97a) 10341000x80000000000000001045499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.190{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8622-6151-9979-00000000FC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.190{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.190{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.190{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.190{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.190{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8622-6151-9979-00000000FC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.190{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8622-6151-9979-00000000FC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.171{5EBD8912-8622-6151-9979-00000000FC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.153{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2246257E1B3013276980299E7F8D5239,SHA256=951E2E6718EC3B4284AD2CB0384BD3A32749334509C2C6F7A265D3E0858841A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:43.562{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-37180-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:46.535{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D924D9E42754CD77FAFA38E6A23AEB0,SHA256=8B86F0E907A46CECF16A8A45C9FBC05CAE4DC6D7EA58273B015167BDCA672F89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:47.271{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=592D0F1F357EFBA171FC6E3CA1994658,SHA256=F61CDBACD0CE1A5CCDC03B239539DA79469FB8B57D65598717BF221B2C65DAF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:47.271{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=534651A5C22607C83FFEF67782BCA3A1,SHA256=1850C788E9C39132C8C13D4E30362908276F2386BDD05A5296DA25888A4A1AC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:44.753{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59148-false10.0.1.12-8000- 23542300x8000000000000000974351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:47.004{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F9746E933C6F1C6F2BC8B317210023,SHA256=D9B50D624454D58D4248C162EC049C741F39E9A11BC5B0D975FAB2C07FE39A19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:48.336{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6DC2AB622804D74D420099E8E61EAE,SHA256=044C4486C615D112062DA80789FCE1C433123C5173EDB0C7F5CA9A0ADAF3FF74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:48.004{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FEB8ECA9A4A5BFD1FB9A688F58433B8,SHA256=DE27417222B84446C52455061B53CB67C2907E8B8D41D97C1405CFF6CAFB8091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:48.220{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5858C0ACA0DFF3C543444EC47D3F9D0,SHA256=DF575F124279284B72F1AF0AE99B3636F3B14CC3BF1FF90153C1F92E600A923C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:46.575{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61487-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001045529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:45.745{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65466-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:49.504{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF334266848A5DED2C15E1345F0A7AF1,SHA256=7B653A7273259C78BDEED2D61D3A0540B14672511C02C700A68DCE3875635ABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:49.336{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF908A3DBBBB099A015C6C5FADEFA34A,SHA256=532E10E6F80943B08A4A6FAE3E5B9214220CFB66DDF8C1BEA4631A5FB5C3DA78,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:46.528{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-48349-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:49.019{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68B44FE406EE7B969597E47F5C20BB85,SHA256=F49744472E87EBB9E393D438782CC0683F1DBBA8B94F304FE78D350AF7B7EA99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:49.235{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:49.173{5EBD8912-79C0-6151-E577-00000000FC01}42964848C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001045537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:49.173{5EBD8912-79C0-6151-E577-00000000FC01}42964848C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001045536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:49.151{5EBD8912-79C0-6151-E577-00000000FC01}42964608C:\Windows\Explorer.EXE{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:49.151{5EBD8912-79C0-6151-E577-00000000FC01}42964608C:\Windows\Explorer.EXE{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:49.151{5EBD8912-79C0-6151-E577-00000000FC01}42966540C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:49.151{5EBD8912-79C0-6151-E577-00000000FC01}42966540C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:50.351{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1307DB601AA463B7352404C1BEEF3E2B,SHA256=BAA6393B92B964E7DF26E1DA4AB0FE85725676C723E9AA3A1A3D46D97CD02393,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:50.035{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76F0B23BDA18AD818F9E852B64AAA0A2,SHA256=972826C1990721417DD91F971DB386858A6C7A8CBEF849B2582E0F0E66407B19,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:47.866{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62507-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001045545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:51.369{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E1F152A1F456E01E0A1314B60B099D,SHA256=B59978493CE874CAC193DFCD449286D0F2A7F1518D76FB0FD146CC8080DA8FF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:51.347{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB42FCDD2515749864D0B7410482E780,SHA256=D55C5F1EC103CB868ED5E9CD9A431AA38F5695C71724B6032931C2936F918156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:51.035{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA9CC1DF1B082EF5A4D4BC60F2BB2C65,SHA256=89B5F7D168E1A9CEFE30F7C083C9F6110568DFFC0B60ED224059559E798D6046,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:48.136{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53362-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001045544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:48.821{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53150-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000974360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:52.254{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAD749AFD6C922B67099D5FEB2104627,SHA256=EECC4023A16EBEE51FBDE20166F2CF11ECCBD2B20B12A8CD01AD99985CC361A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:52.405{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001045549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:52.405{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001045548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:52.405{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001045547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:52.405{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x80000000000000001045546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:52.405{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB807849054B13EE7907927E46F8FFA,SHA256=722FAD39279D9465F9A4DA7A5680B16084CD74E149FB34EF3E396CD21812FB54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:53.332{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC0DBD7DCF382FE4AFF77707DDEDA40,SHA256=0D79AC7AB4AD81CA384C8E91553CF4C53F973E1A55E4FF4C9C9FE70B7F7FF523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:53.436{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C6BA38B179DC7A64DBCE952B0C78898,SHA256=CA47B0DA0FBAB2C9FBDC7AC3C3D41F5C152260FFBDAC67A49C749E2D466B02A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:50.880{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65467-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001045579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:54.826{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-862A-6151-9B79-00000000FC01}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:54.826{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:54.826{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:54.826{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:54.826{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:54.826{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-862A-6151-9B79-00000000FC01}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:54.826{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-862A-6151-9B79-00000000FC01}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:54.811{5EBD8912-862A-6151-9B79-00000000FC01}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001045571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:54.526{5EBD8912-7F2F-614D-0C00-00000000FC01}8284328C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001045570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:54.526{5EBD8912-7F2F-614D-0C00-00000000FC01}8284328C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001045569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:54.526{5EBD8912-7F2F-614D-0C00-00000000FC01}8284328C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001045568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:54.526{5EBD8912-7F2F-614D-0C00-00000000FC01}8284328C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001045567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:54.526{5EBD8912-7F2F-614D-0C00-00000000FC01}8284328C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001045566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:54.526{5EBD8912-79BF-6151-DB77-00000000FC01}23164744C:\Windows\system32\sihost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:54.458{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CA92E9FE036CA083F8BD30004E51799,SHA256=DA8CD6641D3FAE8AAE6EBA0FF28884442BC2765DDB1B44F9DBECE3E882A7C3C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:54.458{5EBD8912-7F2F-614D-0C00-00000000FC01}8283472C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001045563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:54.458{5EBD8912-7F2F-614D-0C00-00000000FC01}8283472C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001045562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:54.458{5EBD8912-7F2F-614D-0C00-00000000FC01}8283472C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000974363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:54.394{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92D1391D21AFD2C011A0D3E7E0878A0B,SHA256=24A0CCA6148915FA9B2ED27376AB78AEFA9C5CC77EACE4077BD225B38AC05A39,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:50.706{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59149-false10.0.1.12-8000- 10341000x80000000000000001045561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:54.379{5EBD8912-862A-6151-9A79-00000000FC01}19605804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:54.135{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-862A-6151-9A79-00000000FC01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:54.135{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:54.135{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:54.135{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:54.135{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:54.135{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-862A-6151-9A79-00000000FC01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:54.135{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-862A-6151-9A79-00000000FC01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:54.120{5EBD8912-862A-6151-9A79-00000000FC01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000974366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:55.691{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D73E3BA364DD8EFA4301767505316EAA,SHA256=3C36654614FA62EF8E552D483DE049D106620DF26E2883155B05B0F64409CC58,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:51.601{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-18776-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:55.425{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0427FECBA35344E5A636B0CD4E63DE61,SHA256=61E943F3A1F23F95CEE8A3550BEB40559BF398456E806228710863B86E6D9EF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:55.712{5EBD8912-862B-6151-9C79-00000000FC01}54402488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:55.512{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-862B-6151-9C79-00000000FC01}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:55.512{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:55.512{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:55.512{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-862B-6151-9C79-00000000FC01}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:55.512{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:55.512{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:55.512{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-862B-6151-9C79-00000000FC01}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:55.498{5EBD8912-862B-6151-9C79-00000000FC01}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:55.459{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6670D85448F54B15142CD1DE604843,SHA256=EAB54A5372505DB6721804C6ED5DB3CF6B266DBDD8AB04AE80FBD2E2FA9AD36A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:55.128{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=681B2809E768961209430FEB94895C33,SHA256=04379AD535D2087759C7586C7344C77922C4709940424E60D0A033C84A4DE7DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:55.128{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A48D18AB6F6B3EB95746ED41783C8007,SHA256=06338E9A040909BFFF2C3295A24DDCF69EF10BE924BBA9CDAC40E31BECFC0D6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:55.028{5EBD8912-862A-6151-9B79-00000000FC01}45041940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000974369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:56.833{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=253B327DB9131C10B9E295D677756DEC,SHA256=0CC4F8E3E7F78683275A59F755CB0AFF63D06EE839FC3B19688595DCBF53701B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:52.966{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-51160-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:56.660{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15649D31F828C136981C504188FE211C,SHA256=C219098C1AD5F58446E900D0DEDA5B6FF063C689903F5AF704DCDA799CA5A536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:56.512{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=681B2809E768961209430FEB94895C33,SHA256=04379AD535D2087759C7586C7344C77922C4709940424E60D0A033C84A4DE7DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:56.481{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F517054D3286F6F5B1F6B63580CA148,SHA256=5A94BDA8F6D4B6FB4EFA989C858C434808E073931F31F08885ABE551FF07D6FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:56.196{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-862C-6151-9D79-00000000FC01}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:56.196{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:56.196{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:56.196{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-862C-6151-9D79-00000000FC01}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:56.196{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:56.196{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:56.181{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-862C-6151-9D79-00000000FC01}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:56.175{5EBD8912-862C-6151-9D79-00000000FC01}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001045593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:54.179{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56500-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000974372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:57.832{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA9EB1BC949C2A6BF639C9C5A3F1C805,SHA256=8D1C25EE29C790F8C3A51B559A2A908790957D78363075C606C7DCA85E15C03B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:57.527{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021AA7DD9ED8DDBEC643261F697FAF15,SHA256=0B23CD7F90BACEFC256ACC89897C3B80770DFA9D81510632B0C238FE0AD833D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:54.170{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-52464-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 13241300x8000000000000000974370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:51:57.425{69CF5F33-7F28-614D-1100-00000000FD01}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b37c-0xed98f76e) 11241100x80000000000000001045604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:57.143{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXEC:\Temp\New Text Document.txt2021-09-27 08:51:57.143 11241100x80000000000000001045609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:58.895{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnk2021-09-27 08:51:58.895 11241100x80000000000000001045608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:58.873{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\1.txt.lnk2021-09-27 08:51:58.858 13241300x80000000000000001045607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 08:51:58.858{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids\txtfileBinary Data 23542300x80000000000000001045606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:58.542{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=312798960CBFA59BEF5B69BA5A66F573,SHA256=F23B40CB5DC3A01F661A9D14002563322524A3428B3442F97A2081499C79F03F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001045626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 08:51:59.825{5EBD8912-862F-6151-9E79-00000000FC01}4224C:\Windows\system32\OpenWith.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids\txtfileBinary Data 10341000x80000000000000001045625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:59.673{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:59.575{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-862F-6151-9E79-00000000FC01}4224C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:59.573{5EBD8912-7F30-614D-1600-00000000FC01}12682136C:\Windows\system32\svchost.exe{5EBD8912-862F-6151-9E79-00000000FC01}4224C:\Windows\system32\OpenWith.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:59.557{5EBD8912-7F30-614D-1600-00000000FC01}12681316C:\Windows\system32\svchost.exe{5EBD8912-862F-6151-9E79-00000000FC01}4224C:\Windows\system32\OpenWith.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:59.557{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F37B0A8C65C4D609AAC6F65FDC2F238,SHA256=825C0E8CEF242C94CB49BC953BC83CFE4297FCC517D4C681589323E117D5AC30,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:56.715{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-48464-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:56.675{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59150-false10.0.1.12-8000- 354300x8000000000000000974385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:56.280{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58451-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 13241300x8000000000000000974384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:51:59.816{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000974383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:51:59.816{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fbc0873) 13241300x8000000000000000974382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:51:59.816{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b374-0x8ce44e12) 13241300x8000000000000000974381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:51:59.816{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37c-0xeea8b612) 13241300x8000000000000000974380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:51:59.816{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b385-0x506d1e12) 13241300x8000000000000000974379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:51:59.816{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000974378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:51:59.816{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fbc0873) 13241300x8000000000000000974377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:51:59.816{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b374-0x8ce44e12) 13241300x8000000000000000974376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:51:59.816{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37c-0xeea8b612) 13241300x8000000000000000974375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:51:59.816{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b385-0x506d1e12) 23542300x8000000000000000974374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:59.175{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EF6308CD872DC914820D09249958136,SHA256=EB2B7E457EF4FFEEE1D980D37405DE2FBB30AB65A6A4BAA1BAF206B7EE64C908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:51:59.066{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75B3E378AC1221B67DEBB78B7964E82C,SHA256=7931CE42C2496FD12A6672631840BF0458A5A7F50A0D18E50FCCE5CB1645FB26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:59.541{5EBD8912-79BB-6151-D077-00000000FC01}46124936C:\Windows\system32\csrss.exe{5EBD8912-862F-6151-9E79-00000000FC01}4224C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:59.541{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:59.541{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:59.541{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-862F-6151-9E79-00000000FC01}4224C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:59.541{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:59.526{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:59.526{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-862F-6151-9E79-00000000FC01}4224C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:59.499{5EBD8912-862F-6151-9E79-00000000FC01}4224C:\Windows\System32\OpenWith.exe10.0.14393.4169 (rs1_release.210107-1130)Pick an appMicrosoft® Windows® Operating SystemMicrosoft CorporationOpenWith.exeC:\Windows\system32\OpenWith.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-79BE-6151-7ED6-4A0400000000}0x44ad67e2HighMD5=196A5E5EF42F8CADACD75FAF17E18689,SHA256=8E9759AE4C7644BC975A2A33BC9E4D17C39B4D6DAAE19F7401181C05DC9D1B90,IMPHASH=3DC53F3258E7C5C7131E7C13F7BD06C9{5EBD8912-7F2F-614D-0C00-00000000FC01}828C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 13241300x80000000000000001045612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:51:59.479{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E44E9428-BDBC-4987-A099-40DC8FD255E7} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFFBinary Data 13241300x80000000000000001045611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 08:51:59.479{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids\txtfileBinary Data 354300x80000000000000001045610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:51:56.803{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65468-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:00.640{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA0563072D4A6A0C0CA37CCC37032E0,SHA256=A4940B9FAD09F6F3B1C2D209CBE6BAF59777E2AEC2DBACF2483AFA435A29ADEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:00.129{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70149D6F6FBC89CC85BA2828D6C903E7,SHA256=18A81318E5798CE439832C2FDB5368C22D757008E84DD2EA8E054AD9C84B2283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:00.540{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4B0F545261A437B5104D2A55FA2AF14,SHA256=4EB0E2B6A65518741A0CB8294E0941AF2A0554176CD5C75BE59859E6995437BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:00.173{5EBD8912-79C0-6151-E577-00000000FC01}42961920C:\Windows\Explorer.EXE{5EBD8912-862F-6151-9E79-00000000FC01}4224C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:00.173{5EBD8912-79C0-6151-E577-00000000FC01}42961920C:\Windows\Explorer.EXE{5EBD8912-862F-6151-9E79-00000000FC01}4224C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:00.173{5EBD8912-79C0-6151-E577-00000000FC01}42961920C:\Windows\Explorer.EXE{5EBD8912-862F-6151-9E79-00000000FC01}4224C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:00.156{5EBD8912-79C0-6151-E577-00000000FC01}42964848C:\Windows\Explorer.EXE{5EBD8912-862F-6151-9E79-00000000FC01}4224C:\Windows\system32\OpenWith.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\Windows.UI.Immersive.dll+1d16|C:\Windows\System32\Windows.UI.Immersive.dll+2362|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:00.156{5EBD8912-79C0-6151-E577-00000000FC01}42964848C:\Windows\Explorer.EXE{5EBD8912-862F-6151-9E79-00000000FC01}4224C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\Windows.UI.Immersive.dll+2f6d|C:\Windows\System32\Windows.UI.Immersive.dll+2213|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001045638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:00.141{5EBD8912-79C0-6151-E577-00000000FC01}42961920C:\Windows\Explorer.EXE{5EBD8912-862F-6151-9E79-00000000FC01}4224C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:00.141{5EBD8912-79C0-6151-E577-00000000FC01}42961920C:\Windows\Explorer.EXE{5EBD8912-862F-6151-9E79-00000000FC01}4224C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:00.141{5EBD8912-79C0-6151-E577-00000000FC01}42961920C:\Windows\Explorer.EXE{5EBD8912-862F-6151-9E79-00000000FC01}4224C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:00.125{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-862F-6151-9E79-00000000FC01}4224C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:00.125{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-862F-6151-9E79-00000000FC01}4224C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:00.125{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-862F-6151-9E79-00000000FC01}4224C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:00.125{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-862F-6151-9E79-00000000FC01}4224C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:00.078{5EBD8912-7F30-614D-1100-00000000FC01}4041624C:\Windows\system32\svchost.exe{5EBD8912-862F-6151-9E79-00000000FC01}4224C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:00.078{5EBD8912-7F30-614D-1100-00000000FC01}4041624C:\Windows\system32\svchost.exe{5EBD8912-862F-6151-9E79-00000000FC01}4224C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:00.078{5EBD8912-7F30-614D-1100-00000000FC01}4041624C:\Windows\system32\svchost.exe{5EBD8912-862F-6151-9E79-00000000FC01}4224C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:00.078{5EBD8912-79BF-6151-DE77-00000000FC01}43084552C:\Windows\system32\taskhostw.exe{5EBD8912-862F-6151-9E79-00000000FC01}4224C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:00.078{5EBD8912-79BF-6151-DE77-00000000FC01}43084552C:\Windows\system32\taskhostw.exe{5EBD8912-862F-6151-9E79-00000000FC01}4224C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:01.692{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:01.668{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E147B1AB600DCA7A333A6445C241A532,SHA256=07D7D5A43C55847422B32CB3E8C9CAB5D38A6813EFBD77885B4FA25DE6468167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:01.769{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B27ED825B93D063EEF92098CEB005DE4,SHA256=E78B4154ED422295282F074CEFD517DB24C9FE90D22A5801840CAAE1CC76D898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:01.129{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BAD26509A07BEE11C68DBCCE171423C,SHA256=A0A2A24101E853D1121466D62689C05BE0053E09C5095FE4F68762F33870F2FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:01.574{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4288MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:02.723{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=338EC68AD0B746E327CB1506C4147942,SHA256=91CFC9BDB2EDD54B4216440932FA9D31397F8672F09C1AE9C0032A8FDD28697B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:02.133{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E1549D445757D18CCD2FC30D0FD84B4,SHA256=AF5A491955D0DD53E85BCC7B17DCAC77C36F4468CF54B3B63403F2CF2912A048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:02.572{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4289MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:03.755{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333173FD624C5D58CDA9E767310C4DB5,SHA256=5B2968CE3FDD89C807C7C9918EEE9BF7DFF2CBDB24B0DB2A187AE7C112F8BF27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:03.149{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD4157E7591B3573600B4D6481BDE744,SHA256=C7C666BE1CE4A5886651BE0337EE097D1C129D42F1A74FFFAD2B58ABED166E4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:04.792{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=643C93C914FC5FB00A76B1F3707EA133,SHA256=D32CC51687B3359EA0C4040D15F43B57C2B9102E3128109B706DBE578D7EC2B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:01.821{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59151-false10.0.1.12-8000- 354300x8000000000000000974394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:01.796{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-18784-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:04.165{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05CFA5CC4E46702A75E0AFCF1ECA3B9C,SHA256=1079083C4EBDDC4A0CB5CD1D159BC93A68A70A8816C78FAD381F982C76B64F38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:05.822{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E96F3FA732FEC72B9A8490D99133E5CB,SHA256=C9EC1528FAC69EC3E6FE92A240E09B49B42F4A5EB676330082007B0F7E54F274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:05.321{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9635099BEF1F9E3A4DAF5E323AC14DD2,SHA256=94A5B9B43AB2BDC654DB74BB5EFA25DEC96717DA27CB6883D7F2184BC015B65E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:02.731{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65469-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000974400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:06.868{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B1C34766206A144E419F56845425A2B,SHA256=1E6B2F464BCE4F1A9EB4207179648ACA49FE62068A2C7F7BB390A5A246E222F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:06.868{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2748F07C4475564F7A48984467055CD,SHA256=006FB9D9E4B443A70F31253684329FF3D26967E47D6B872D3FCCAE86AA706AE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:04.048{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63331-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:06.401{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B1F73DF217946842E585C84F893AAE1,SHA256=6A4C072519C36F6568EA917618AD0535B50CA5E8CB4924AD4DE03D401F82F4F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:06.852{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E005D4E687E6591DC904ED2758EE7E56,SHA256=8C9BC9807BBEDDEB7FED7AF16A92FE6123E7F80A29CC0F7FFBF8E9C2D82D7DF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:06.075{5EBD8912-79C0-6151-E577-00000000FC01}42964848C:\Windows\Explorer.EXE{5EBD8912-862F-6151-9E79-00000000FC01}4224C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\Windows.UI.Immersive.dll+2f6d|C:\Windows\System32\Windows.UI.Immersive.dll+2e0d|C:\Windows\System32\Windows.UI.Immersive.dll+2524|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 23542300x8000000000000000974401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:07.649{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DB2C562772A6731BCAD38B98B028370,SHA256=01D6422D07DE2260BDB2B239992B9438DB2105A0B1F895082E87D2AE834399D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:07.870{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B159A58DD6BF90AC45780342A2B7A403,SHA256=C1EA699FEC79A16D7006500EB1F5364F6B238DE0E65B3EA2B46F497051DE6BCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:07.573{5EBD8912-79C0-6151-E577-00000000FC01}42961920C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:07.552{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:07.552{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000974403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:08.868{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A55582508548A2991C09C8354A7B0A1,SHA256=7089F6DCD5E14CD358440C85A3845883DCDD7DB2521B1BE8B7A47F59A93248A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:08.974{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15ED45CA9A8E20AEA1D1A48CEAF255D6,SHA256=0773CF79B648014905F347C897265C7DAA7C9F0CA95D38D42713E599E86B4DAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:08.024{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B1C34766206A144E419F56845425A2B,SHA256=1E6B2F464BCE4F1A9EB4207179648ACA49FE62068A2C7F7BB390A5A246E222F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:08.891{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:08.891{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000974404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:09.915{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE3B3134BFAC047489E665BD26FFF963,SHA256=F5032D25303E327C35538C296FE4CF5B70F5BF9D54872D9E79289D6F9115E67B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:09.897{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F817C075BFBBB17CD41913EC6BDAE83D,SHA256=7CC2DB5E157DBA315074B23D9B77E11D3BD9E3AF2063603F83212755BA2205B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:09.897{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F79B3E05044CB647F3800E3992AE9B9,SHA256=9FBBD18E2CE174D33C90C5B976600CC120C69A18D8EC34EC564FBCEC3C97D160,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:08.263{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63130-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001045664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:07.814{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65470-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000974407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:07.820{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59152-false10.0.1.12-8000- 354300x8000000000000000974406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:06.893{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-48614-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:10.930{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=056EBC16ABBA4F858F87C1B84332ACC5,SHA256=E7954C22730542D807536D4B307412B9481DB04C2338E73A51778E65E0B7E5C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:09.996{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EE65D9BDEF9A35032DDFE7140552ACC,SHA256=5C324F5432CC96A8848AF4F4703EA928523B3967C9800417DD0FF1A0F90D25B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:11.946{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9494BF95FD0BF0EFCC3E11AAEED5B246,SHA256=4F48186E0153F8EB63607D63D89D82633C8BCD7690603171C3168A4108533514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:11.877{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F817C075BFBBB17CD41913EC6BDAE83D,SHA256=7CC2DB5E157DBA315074B23D9B77E11D3BD9E3AF2063603F83212755BA2205B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:10.224{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50185-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001045669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:11.012{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4276F93C40F672BD3AE09256E3BE8C2A,SHA256=22FE96C29E76BC9BA32F86DDB78DE6972137B0F06DC4E4028561BF9BE1EA128D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:12.024{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FF0E195B90E9E54231ADBB79466DA8F,SHA256=E66944353CE875E9D6D0C6063986968DB15FAE500B6B92FE5F7ACB35034C6A56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:12.027{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=706163E1B951F1A2D5D0B210C342D45A,SHA256=F17783525133CA8E0E61F3FC56B17EE7E0CA2287580211492039C35156325FBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:13.243{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:13.040{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F06383EFBDDB2A4AD557B4B1EB128C1A,SHA256=1223C1C5FE89C741F9003CE4BC6A8E9BA16F7236F079AA0C7D4F662F902900ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:13.928{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99FC732DAAEACCCA4AB98D00023D8506,SHA256=611891A22F34999E79DA1A00AD789D1AD5CA133E19CC747BA0FF2BA7FE36C113,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:11.717{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de52914-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001045684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:11.611{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51020-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 13241300x80000000000000001045683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:52:13.544{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001045682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:52:13.544{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fbc4231) 13241300x80000000000000001045681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:52:13.544{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b374-0x95382fe5) 13241300x80000000000000001045680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:52:13.544{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37c-0xf6fc97e5) 13241300x80000000000000001045679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:52:13.544{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b385-0x58c0ffe5) 13241300x80000000000000001045678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:52:13.544{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001045677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:52:13.544{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fbc4231) 13241300x80000000000000001045676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:52:13.544{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b374-0x95382fe5) 13241300x80000000000000001045675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:52:13.544{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37c-0xf6fc97e5) 13241300x80000000000000001045674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:52:13.544{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b385-0x58c0ffe5) 23542300x80000000000000001045673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:13.043{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF51877073D7526C54C262712066DE4A,SHA256=E32A13034A3CFE3E278ADB1E3A1DAC2D7D0F39ACE25F8B942BA678209DAED439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:14.274{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5862838AF4637B7BF8D2DB205910B785,SHA256=29949D4B6DC89B59A53288C541B7E1500401DC1575C0B091207479FB6F938B56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:14.144{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:14.144{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:14.081{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83C989DBA22E4F9927F5EFAF1CDAF4F8,SHA256=DD432B020A37F434651FD888C6E2E63A49AA938714990C1CF81B42CDC406C06F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:15.290{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=354861DB926BACFD6E9E2409255C96D9,SHA256=9F477FDC25D419D7D5691D57A81A2D741DD9E577AA336442D61D634E012CD88F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:12.950{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65471-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:15.259{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C553E272246B1DFAB684BDBBF16840AC,SHA256=A8F08C972D6114C5544B6C345E60732EF583856D085CBE2602F368E6C20EA754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:15.100{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26DE045DCBA98913BF7375C76C88CA4,SHA256=ECE55D88E5218FB17C5DF1CFB5D99ADD4A9E52B06D7E45B8AF83A52B780A3344,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:11.867{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59153-false10.0.1.12-8089- 23542300x8000000000000000974416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:16.305{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FB78450E1C71DC1C248CDE8946FD0BE,SHA256=6463881DA9E40E16B3E770BA132FD3B78C638C8D280D7636FF88B66A1D795461,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:14.152{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52660-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001045696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:16.528{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001045695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:16.528{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:16.528{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFfbc4dd9.TMPMD5=DE3A0FA109221B18DF49AC1FFC6FE4B1,SHA256=ED397D4D656C29DB004817AED882B128D4456823F423CD84E3D3C39C431C5AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:16.160{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2F3D8DDDEA0D27C4494F1698B2FC771,SHA256=3687ACE0F0FFA122A768DC1243F09C9B044ACC089DC0E875021F229A0CF3E46C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:12.034{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-19674-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001045722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:17.412{5EBD8912-79C0-6151-E577-00000000FC01}42961920C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:17.412{5EBD8912-79C0-6151-E577-00000000FC01}42961920C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:17.412{5EBD8912-79C0-6151-E577-00000000FC01}42961920C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:17.396{5EBD8912-79BF-6151-DE77-00000000FC01}43084552C:\Windows\system32\taskhostw.exe{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:17.380{5EBD8912-79BF-6151-DE77-00000000FC01}43084552C:\Windows\system32\taskhostw.exe{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:17.359{5EBD8912-79C0-6151-E577-00000000FC01}42966964C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:17.359{5EBD8912-79C0-6151-E577-00000000FC01}42966964C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:17.359{5EBD8912-79C0-6151-E577-00000000FC01}42966964C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:17.359{5EBD8912-79C0-6151-E577-00000000FC01}42966964C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:17.359{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:17.359{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:17.359{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:17.359{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:17.343{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:17.312{5EBD8912-7F30-614D-1600-00000000FC01}12682136C:\Windows\system32\svchost.exe{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:17.312{5EBD8912-7F30-614D-1600-00000000FC01}12681316C:\Windows\system32\svchost.exe{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:17.296{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:17.296{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:17.296{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:17.296{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:17.296{5EBD8912-79BB-6151-D077-00000000FC01}46125756C:\Windows\system32\csrss.exe{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:17.296{5EBD8912-79C0-6151-E577-00000000FC01}42967080C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+17c27c|C:\Windows\System32\SHELL32.dll+19ea38|C:\Windows\System32\SHELL32.dll+284683|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c520 154100x80000000000000001045700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:17.300{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Temp\evil.batC:\Temp\ATTACKRANGE\Administrator{5EBD8912-79BE-6151-7ED6-4A0400000000}0x44ad67e2HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x80000000000000001045699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:17.227{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DA282106776BC32AC3344DE690D7DAE,SHA256=8C9BB885B08FC1CC77CC9A8E1CD0F4A879E0D3808339FAB3F967A33E6527539B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:17.178{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EED4493BCE1DE155DCFC0E78243B2C2,SHA256=BD3216EB289A8754100A91F89BFA1B4BF00517DDA7A1A7AD9B2782EC13542D29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:17.305{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F71044883643F278C5801C41A1C6C44,SHA256=91E3E49F4057449C6FD69149342E97A853E336DE25CFBC85F9178E8D4959C3B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:17.305{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8291594B30459645EDA1642E62FA4C45,SHA256=6A1801FBDDCF23F0CEEF05AD972E47A81E8559558E029933A4BDC1D51259D01B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:17.305{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=078E625FA8547D5BE130798C9132B633,SHA256=FF336FBE97897BFE2B1843776D6173D683C392A740D9CC0D0B424A7B403D8E4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:14.607{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-49395-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:13.742{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59154-false10.0.1.12-8000- 23542300x8000000000000000974423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:18.336{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9204BA51A49D8580C35A3A7F5C38EFCF,SHA256=951B8D1AC75F62709DD54E2F0A151A0AA835037EABC06EAEA5DB56EEE01279A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:15.820{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65472-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001045725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:15.820{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65472-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001045724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:18.358{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=241B98D58699A4D295FD42B8F1A662FE,SHA256=055122DFEFF4EC3F6DA1EC60A5DA0138F66138E8DAD8395DD022B03A4CBB4D00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:18.226{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF91BC0F151BA01A8CDFA8317E5FC35,SHA256=EEE61B372DCFC934D52CA5BB4C6B37658232B06332DDB8A0E92F231BDC5274EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:14.811{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-53756-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:19.446{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B6F4F44A36C9C2332BD7C2277D36809,SHA256=B6EEA0804D34484B7756FE5A29D8027C39D72CF874A60DF332465D5A74331238,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:19.441{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:19.441{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:19.441{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:19.441{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:19.441{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:19.441{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3E-6151-3C78-00000000FC01}6364C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c869|C:\Program Files\Mozilla Firefox\xul.dll+e4dd0f|C:\Program Files\Mozilla Firefox\xul.dll+116feb6|C:\Program Files\Mozilla Firefox\xul.dll+e4959d|C:\Program Files\Mozilla Firefox\xul.dll+e31230|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f3b4d|C:\Program Files\Mozilla Firefox\xul.dll+177e8a9|C:\Program Files\Mozilla Firefox\xul.dll+1bb4c30|C:\Program Files\Mozilla Firefox\xul.dll+16c2490|C:\Program Files\Mozilla Firefox\xul.dll+1b5b9aa|C:\Program Files\Mozilla Firefox\xul.dll+177ed4a|C:\Program Files\Mozilla Firefox\xul.dll+1bb4c30|C:\Program Files\Mozilla Firefox\xul.dll+16c2490|C:\Program Files\Mozilla Firefox\xul.dll+1b5b9aa|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+1867fbf|C:\Program Files\Mozilla Firefox\xul.dll+1a7ca90|C:\Program Files\Mozilla Firefox\xul.dll+1a78989 23542300x80000000000000001045727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:19.278{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E809DA9EA6BCA39BC1FCD7624F629167,SHA256=E8BF3FCC5C9A1C103ED70E9A626182F39891160809A9C3A73474FA5D07E1AFCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:20.461{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6574507CDEA77673910B311C6F04001A,SHA256=D522273D1A127110B64C6CE3C132FDD46A5727BFCE68D484AB62D745A1A64EC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:20.294{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01DDE23B9D84E22FB786A16D8C26DFD7,SHA256=549B80970BF525A46AD7A5BF2C2E2C8F55C8CBE06C51D780E71DA1669A94A6D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:17.317{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-50470-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001045737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:21.457{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3E-6151-3C78-00000000FC01}6364C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c727|C:\Program Files\Mozilla Firefox\xul.dll+8b9000|C:\Program Files\Mozilla Firefox\xul.dll+8ad3ed|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:21.328{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5E97CF96C4F7640DE9C4A18D65E51BD,SHA256=32FFD5C6AC4ACBA1D3FFEC8D46E5F90F45BE2D25778B2BE760819C7850E42909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:21.477{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C13A2A7C8801031745A986870EBA97C0,SHA256=D5E46DE37046460D309FD067C21C891204F7A0498D1980103903C9D62785EE45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:21.446{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F71044883643F278C5801C41A1C6C44,SHA256=91E3E49F4057449C6FD69149342E97A853E336DE25CFBC85F9178E8D4959C3B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:18.145{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55667-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001045735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:18.848{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65473-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:22.376{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=638FA9E2252F2F071D49AF91CB12F2B2,SHA256=3AFAA1CC63DBC2808ABBF575555853EE926F0204B74CE02510171A4696F5BCC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:22.478{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EFBCBB31F19A411901240043ACF4AA4,SHA256=B683D1730EB704BB79280FCBAE016C00F39658A64E1923A177206D07633B484A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:23.713{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE8528B47D41DE1BDC70E151C97B9E41,SHA256=58916AE31926238CA1751D041A39892FD7B88E99DCF4F26B64481F222D42442D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:23.394{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2617E15717CD65B6661775A4DC1F8DE7,SHA256=032F485F050497FBF3BE9A87ECC905BEA2E57DBFADAFA2752299E41550770330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:23.572{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=303D55A1157864E62A15CD69DA16E79B,SHA256=04789178020AE01746EE0A1C0290DB7B40CB5D57F5981EA4DF37FB454A3D5257,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:19.847{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse110.10.193.201-49539-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:19.680{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59155-false10.0.1.12-8000- 23542300x8000000000000000974436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:24.947{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5225D9F9EAE514D10A76A527B85A1ED,SHA256=6B176A76C597A611C7DE700AC1FF5AE4C718F136F4E2871A4224FA2FAFA4E6ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:24.425{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58FE8E8F7D53FB014B671E81A3D50638,SHA256=BC3FA678B547AFDFF32DDDBE429F6862975974AFB79039542738ABA9BB3B6912,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:21.407{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57771-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001045741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:25.427{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B051236AF1B7E6A73B09C5F51CF81B5C,SHA256=0FB624D3B7DEFBF01439A7BC7C95F3428BC6D7CC889794338B3672CCBD923F8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:22.279{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de64522-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:22.077{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58110-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:25.010{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65C51D1810B14D357A412E707FE2D24A,SHA256=6DFFCEE220E01E0515B90FB984FF0F85C4F15E498257EADF6EF25F39E065328A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:26.542{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:26.458{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4EA596F71816F0C80D2BA7B2E3D6E7F,SHA256=9A75F31218B841C96F3B8C705505A47EF8102BF592FD21EBA391C7B63F1B7121,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000974469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:26.744{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-864A-6151-3C79-00000000FD01}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:26.744{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:26.744{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:26.744{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:26.744{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:26.744{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:26.744{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:26.744{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:26.744{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:26.744{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:26.744{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-864A-6151-3C79-00000000FD01}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:26.744{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-864A-6151-3C79-00000000FD01}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:26.729{69CF5F33-864A-6151-3C79-00000000FD01}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000974456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:22.914{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-30509-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000974455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:26.307{69CF5F33-864A-6151-3B79-00000000FD01}14121972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000974454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:26.088{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6A2C3D687ABADFF36C07E224D4FE0A6,SHA256=1AB30FB75CE1372A0E7B3B2A381FD67F13B87ACD008EB9CF7C3DE6847EDF3B64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000974453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:26.057{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-864A-6151-3B79-00000000FD01}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:26.057{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:26.057{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:26.057{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:26.057{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:26.057{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:26.057{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:26.057{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:26.057{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:26.057{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:26.057{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-864A-6151-3B79-00000000FD01}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:26.057{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-864A-6151-3B79-00000000FD01}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:26.042{69CF5F33-864A-6151-3B79-00000000FD01}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000974440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:26.041{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76E6048A64BF5FDCAD3C26BFDF6F4B1A,SHA256=769FBFE792F8B815207FC5FB0F4B89A182F75FB49482088C604D1C6B50AA0E4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:26.311{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:26.311{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:26.295{5EBD8912-79C0-6151-E577-00000000FC01}42961920C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:26.280{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:26.280{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:27.477{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23C2B8401F68288AD18F15BEAA68095D,SHA256=2B151289938E41137AC7FD0CF82DBF0D145DC03CCC0159C955E0DC49F035899E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:27.916{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9BF9C6915E9E2B9F30DCD3AC33122B2,SHA256=B223FE806DE76EAE152D05AC6A1B170A2D6D0A7D94C62D54649C732D9F4D9B23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000974484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:27.432{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-864B-6151-3D79-00000000FD01}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:27.432{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:27.432{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:27.432{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:27.432{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:27.432{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:27.432{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:27.432{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:27.432{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:27.432{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:27.432{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-864B-6151-3D79-00000000FD01}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:27.432{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-864B-6151-3D79-00000000FD01}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:27.417{69CF5F33-864B-6151-3D79-00000000FD01}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000974471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:27.228{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6CDC79B5D6B80C8A6ECE8AB0C4A656E,SHA256=646A48F80E466D9AD045D202392E2A41463A27A4D60C8DA82603656A286C7489,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:27.342{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6E3D3E999A7869763AEC7C474B980E4,SHA256=C25ACCD3E21CA4A98B34659F9F1B92D0E13649BE74BB2E1CEB3F4E2718587DBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:27.342{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BB313BDA3431CA3E540A876B03F959E,SHA256=60BD9C7B97A8B1D4373119D5C6A8FF2B7FDA91C1F10E758EB0C7ECAD6E41CE45,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:24.786{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65474-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000974470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:26.994{69CF5F33-864A-6151-3C79-00000000FD01}2544824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:28.796{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6E3D3E999A7869763AEC7C474B980E4,SHA256=C25ACCD3E21CA4A98B34659F9F1B92D0E13649BE74BB2E1CEB3F4E2718587DBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:28.496{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=829A8E99A6978757413FFD3332BFE788,SHA256=D15D37AE75136D4FC5B29AE3E884A2EFEA04A837BB0DC9314DC23314757CEF53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000974514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:28.807{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-864C-6151-3F79-00000000FD01}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:28.807{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:28.807{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:28.807{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:28.807{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:28.807{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:28.807{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:28.807{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:28.807{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:28.807{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:28.807{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-864C-6151-3F79-00000000FD01}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:28.807{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-864C-6151-3F79-00000000FD01}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:28.792{69CF5F33-864C-6151-3F79-00000000FD01}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000974501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:24.807{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59156-false10.0.1.12-8000- 23542300x8000000000000000974500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:28.400{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4514C4F46707BF2AD6A9AA97F5DBB218,SHA256=42F36676317C131D40A7AD940DF9AE764399E21B7BBD21D864DEEC69320CF4F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:25.699{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61444-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001045753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:25.396{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59532-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x8000000000000000974499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:28.291{69CF5F33-864C-6151-3E79-00000000FD01}24282460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:28.119{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-864C-6151-3E79-00000000FD01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:28.119{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:28.119{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:28.119{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:28.119{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:28.119{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:28.119{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:28.119{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:28.103{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:28.103{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:28.103{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-864C-6151-3E79-00000000FD01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:28.103{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-864C-6151-3E79-00000000FD01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:28.104{69CF5F33-864C-6151-3E79-00000000FD01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000974531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:29.682{69CF5F33-864D-6151-4079-00000000FD01}2556932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000974530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:25.943{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-41762-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000974529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:29.494{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-864D-6151-4079-00000000FD01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:29.494{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:29.494{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:29.494{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:29.494{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:29.494{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:29.494{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:29.494{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:29.494{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:29.494{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:29.478{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-864D-6151-4079-00000000FD01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:29.478{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-864D-6151-4079-00000000FD01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:29.479{69CF5F33-864D-6151-4079-00000000FD01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000974516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:29.463{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6B4D6C19BB479FC2084B53F5A76F965,SHA256=2FFCBC24545F9A6905589685D89CDB5233FDA79509591AF932747084BC5F0B4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:29.511{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B090384F98B114B6E0B44EA063CC4DCF,SHA256=A66FFE513E6C5D0F9BF2E724BBC9C9832BE4253F63BA9BB429012DEE019A6575,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:26.990{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse93.89.190.250-50607-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000974515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:29.322{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=591F9872769644244390127D13BBA1D1,SHA256=25E7C2673D77D73D74F37E74BAAFA1D8AE6B23C4F6A7124E9DC3F6ABA875AC43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:30.525{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD72B8339209F10943AA6F4414AC62AE,SHA256=7D0FF9204038E46738C588AB13D0238DF3634D8FDE24F678A9A42B2C86C0FFD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:30.478{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC823ADF91711A5D62EEF5C58A92D00A,SHA256=40FD42A71B664414B755D03AF6409AD2DDDF4232292D9397C1AD9B57A90D100E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:30.583{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C15A2D139925B8C09FA4CE8F2CD11BEC,SHA256=842381F370BCF8E20658F6D2F6A3BC33C4EE48F7BA10258DB71F24724F8D9342,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:27.168{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62605-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000974534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:31.478{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A33D363F7F0495AA60CB73F151D082B,SHA256=E2A3737F0C94818BB6D8AC453A27F9BFE126FA85C6948323AC8B8E15BD12D155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:31.599{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E47D6FDA4B9E4DFC04E51910AFEB359C,SHA256=601162AEB5953252FD9F2D670EBC43BA58D7CF3BEBB013DD5981A08A3F1F9AE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:32.646{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BAE47F7D0416CD4BF435A84BC223D84,SHA256=F3102875EC3AB2BFA1D00384ED6FB1A116AF991CB9813EF56C773D498831EAB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:32.494{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16745ADD0C34AB1C69589BD911F1EEC0,SHA256=45ED8779E7F25B5325977BC23C77E84F3CE64D07F1B8009BDDE52659BF0CC6CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:32.400{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=77063B4B1790AFE70B2C9A41DE6EE2E0,SHA256=676059172D3726F1928540BF2A17E160207E29BA30E87B515CFC09DDCC399481,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:29.888{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65475-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:33.662{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8031302259EFA05147289CB04E2ABED5,SHA256=E1404F5BA1A1C845BA5634182BE4A473D0FB189345C8DA4BAAEBB14D5438F4EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:30.681{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59157-false10.0.1.12-8000- 23542300x8000000000000000974537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:33.510{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4116DDC28ACA9FC7F66FC9B4038817B,SHA256=3D835A5D38A10EE9AF163CE70BC90FEA5358CE0F6FD70C4A971F81AF9E811480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:34.639{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4289MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:31.709{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-49297-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:31.262{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-13955-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:34.511{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DAC32B7E5178E19B7DA3437DB3A36AE,SHA256=668D67A7A505B8D94717D41547B8D87C5BAB152F173C52E020685053382403C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:34.663{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BA08B2D98F6B00CBBC3C6CA6EAA5C17,SHA256=CD655BEC00C7744ED2335080D5A159D0D59C0E7913B0CB739FE5C58437057952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:34.495{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D032DD7F2E1F5A833AF155F9609274B,SHA256=78ED534DF4663212FB8014F2338913C71A512F2DE6B3D66064A3E452A4EA3B06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:35.663{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDF46027AD03407928F2296FBE31F4BE,SHA256=1926DB5935EA84DBA3C57DB66CC8F1F549B0238F71562170AFA77719DF55DF4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:35.947{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2A61345ABCE4ADCAA0BAFD076689410,SHA256=80C19B75BB151A5E99A50B42D14C09931C6F43346EBAC32396EE69CF85C9714C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:32.883{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64919-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:32.024{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-51059-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:35.637{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4290MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:35.511{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=742FAEAB063A7DD29397F2F5CA00E6C7,SHA256=B58D64CC8E00BEACEDD9958C8F2EC9E48269A2546EE571570DFA0002B790EF50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:35.532{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C983B590FE909E5605ADB013B274987,SHA256=C427B4F13612AFED7A89B14DE7E3AE73BCC7CFF13517E5BB7F5E39FED1C4D721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:35.532{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACE9A3F5C765489BB9925868C4F82D3B,SHA256=DAF739712F489BCF483986D949C2E98CEDA38713E97548CF7A84F310B7A6FF28,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:33.840{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64859-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001045771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:36.685{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057F8C1FBBA4DA0D13AFF5403ED78D02,SHA256=D2B9BF08775714216ED947E3317D1B9A0133B8FE743F34E01EF9F4B54EE06F7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:33.479{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-52516-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:36.513{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0348D14B9035AC7FF49E5100070B56C9,SHA256=7E42522064ADF41035A4DB43E81B3EB40C446405168D9F8EF220A755D886E64F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:36.201{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:37.702{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F844179D0BAD7B2991B4B03DE25AE16C,SHA256=51669055C55E1CC766FFE1D4BA83C1A605F44DE3853FDCA94BE3159BC4AE4ADA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:35.294{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-43748-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:37.513{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67CACC375C162AF139021961BE642C46,SHA256=652E49A7BABA72CC3E55064864F6333285AFCE8F09166CD7E1D73D0CED2C6D65,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:35.723{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65476-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001045782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:38.882{5EBD8912-79C0-6151-E577-00000000FC01}42966432C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:38.882{5EBD8912-79C0-6151-E577-00000000FC01}42966432C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:38.882{5EBD8912-79C0-6151-E577-00000000FC01}42966432C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:38.864{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:38.864{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:38.864{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:38.864{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:38.717{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD1B72261F5701D0D4349470C10809FD,SHA256=39A74E0EE92999D966562A1A40248830226CA34312A8BF3C790937D4838F0651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:38.528{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6818DCFA51835E484E494CF47A88F4AC,SHA256=A5582260593FD9CA6F0A15798C08E8BF01D3332CB547D937DC9BF3338118646D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:35.870{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65477-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000974566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:38.295{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73BEDFAB6E2C05FC26D56D51745A375C,SHA256=2798FC9AD2392B62C654F5D112DE5870E00E2319EC656DA445B7FDE1D25D8662,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000974565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:38.059{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8656-6151-4179-00000000FD01}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:38.059{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:38.059{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:38.059{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:38.059{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:38.059{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:38.059{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:38.059{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:38.059{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:38.059{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:38.059{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8656-6151-4179-00000000FD01}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:38.059{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8656-6151-4179-00000000FD01}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:38.045{69CF5F33-8656-6151-4179-00000000FD01}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:39.733{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AEDC217BF56AB42A15BA68910C0E0B5,SHA256=C737BDD26B3510035811922F0F395ADBD23CC89FD40811A2B47021090E459403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:39.544{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E35745A91C96AFD9C8457B70A5E8B250,SHA256=0E7921CA32F5D3D2954CFC688669F80EBCB91BD80ACD68BBC7EF00F901EED4D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:39.102{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4786C5F4D162719C0721FA547756D29F,SHA256=E7CD1A09D059D44DD380C68615BA096C52DB06C3FE634A542FBE1A9E486C9195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:40.748{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0389A6515AF3C359A4AF43148360519D,SHA256=7DEA85722D345CDF07A031793466E3BD25EFE7B223A9AE4879AE0ED3BB7F93A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:40.559{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B36C4EC8A8A7926197BAB14A98B90CE0,SHA256=CAEC8A83C04AE1D37E4A33D24A6169A2A0BAE4231B48EF31CB757D7F3D92A5E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:40.356{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5502917F92D53745C0B3C45208605150,SHA256=4FF325DA774D99F605AE48D046B5B29EBBE6B1F8EE3FC83965082372966DF65B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:35.809{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59158-false10.0.1.12-8000- 23542300x80000000000000001045786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:41.763{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C582DAB143D6DF88C36C2FE3DB45CF8,SHA256=A65E5CA5B7A8C06497E5F41F3AA77D849A010AD874B7880B2F6992F16013C097,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:41.575{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A3154D4210BF01429823B3420C25270,SHA256=91D85EABDEFC1D3A2636FA48532A6F73D8F744DF00362956F24E73B80BC585FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:37.352{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-55168-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001045788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:42.766{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316FF4602A79E0B4846210C0B36C7A2A,SHA256=BE648042DB98765170AD8F67AA16FC282F3CD21832EDB5BD9881EAE6F7B67356,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:39.283{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-7961-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:42.576{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A6214AD3DD2E385C6C1E11C2C80E4F,SHA256=8116B10F038A32050DE53D4ED227815692E33ABAFF5010BFDB642A17694A837D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:40.892{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65478-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000974574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:42.264{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFE9F6A2360F9CF777477D9F515F998C,SHA256=2948AC0B50069909595426EB037D4D2A435A790C0FD52723BD1FB7F2E3F42416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:43.787{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B2FCB1ED8FE0B57750CB9DF75CD0474,SHA256=C9333987D8FD767D3BEF62D7CCF3C3F3DD613738B9DBCD892012ECDAEC58CE9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:43.576{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5C6F6AFF4B7300D2D1196897CA8C8E7,SHA256=5AA613BB78C850E7F35C7041A186E068D445EAAA20920A6349B2C031C2B0C867,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:44.950{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-865C-6151-A079-00000000FC01}4336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:44.950{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:44.950{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:44.950{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:44.950{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:44.950{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-865C-6151-A079-00000000FC01}4336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:44.950{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-865C-6151-A079-00000000FC01}4336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:44.904{5EBD8912-865C-6151-A079-00000000FC01}4336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:44.803{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8712FC3A3331E81FAB9AF2FF067D2B9E,SHA256=73074C9FC30C476F6811521FFC332E5D9E84036B7AEFBD201E8F0470E2D19C75,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:41.732{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59159-false10.0.1.12-8000- 354300x8000000000000000974581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:41.312{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53962-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:41.208{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-19155-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:44.592{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B2D47074F43AF7275CAF269FCC19D05,SHA256=564CC22E40D17389E1D3207023D218ED2858D966ABF932ED935A30FDDC5BC894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:44.092{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18D3C40F4983AB686F8774AC0090C551,SHA256=B289B3588F219F18CF0C49681AD7926EF14308FBF086C4CF67CB9363BDFB8B8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:42.515{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-542.attackrange.local58609-false10.0.1.14-53domain 354300x8000000000000000974584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:42.515{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c8a0:5491:e98:ffff-58609-truea00:10e:0:0:0:0:0:0-53domain 23542300x8000000000000000974583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:45.592{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=095CE23AB9C8343C259E5B1E3B85A48C,SHA256=2AE1DB72DBD260911A7D8F7D93FB68A29A1CD9B736C90F0F5D4D0E172C552E93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:45.904{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9393CFE7EBB59568692D73B3194D3499,SHA256=C56C82069F793ED17928F95C2E4D2DB05FD79222F13C0915BED15EA72C8786FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:45.904{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C983B590FE909E5605ADB013B274987,SHA256=C427B4F13612AFED7A89B14DE7E3AE73BCC7CFF13517E5BB7F5E39FED1C4D721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:45.819{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465611214F860D09A8063173A80601A7,SHA256=B76D6F27BC5E9B5DDB310487ACB8A2D635FD7F74EF9CB01E9654019FE7499D7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:45.804{5EBD8912-865D-6151-A179-00000000FC01}41405124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001045808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:43.575{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-51768- 354300x80000000000000001045807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:43.574{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-58609- 10341000x80000000000000001045806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:45.502{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-865D-6151-A179-00000000FC01}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:45.502{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:45.502{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:45.502{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:45.502{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:45.502{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-865D-6151-A179-00000000FC01}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:45.502{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-865D-6151-A179-00000000FC01}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:45.481{5EBD8912-865D-6151-A179-00000000FC01}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:46.834{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E498A2DE4BC52B09564658902C83D80E,SHA256=477AE159A266397D043F8D815341E4E6194DBD566C28C52E6DCCB16D708B7D93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:46.608{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B91D965621803B0191C92BA2B13CE0A2,SHA256=BB755C74342E84BE5A811D1CB4A6B6F55975B2BDC5641B88B8635CEBFBCA8A7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:46.366{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-865E-6151-A279-00000000FC01}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:46.366{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:46.366{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:46.366{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:46.366{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:46.366{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-865E-6151-A279-00000000FC01}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:46.366{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-865E-6151-A279-00000000FC01}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:46.351{5EBD8912-865E-6151-A279-00000000FC01}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:47.934{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1295B6DF81EFED4F5CCCB791F8A30D9,SHA256=CB0488E2B4BE325CC718D146391A1ACA05E1227CA834F5F6CB8D94230CB4E28E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:44.154{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-30542-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:47.623{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=205A426B9FFAA0D0D87055D1F7D777EE,SHA256=264513A8879FF6A953865B058D518CF885D0F96D20F100C64B18FE6B93F240CE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001045824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:52:47.881{5EBD8912-7F30-614D-1100-00000000FC01}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b37d-0x0babdab1) 10341000x80000000000000001045823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:47.718{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:47.366{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9393CFE7EBB59568692D73B3194D3499,SHA256=C56C82069F793ED17928F95C2E4D2DB05FD79222F13C0915BED15EA72C8786FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:48.964{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C82A8653C88E9A3F68CDB868FA5390,SHA256=52819F16E2FE510202A1EB4DCF6AB9D5573E7D4FEDECE5BBCCCCD77A325D6E92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:48.639{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CDBBC71773FDBFF98917CAF5EE21779,SHA256=FE7EBC24829D88975C9E75E8C4109448E65269974609C0139E7D2A8DA30CAF48,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:46.795{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65479-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000974592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:49.639{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21B664B068C3072719D1B303E782D13D,SHA256=7BB1CCEC858F9A67337428B8D753273263A974F1260D68128AC8281B108D1A1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:49.901{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001045829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:47.556{5EBD8912-7F30-614D-1100-00000000FC01}404C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-429.attackrange.local123ntpfalse20.101.57.9-123ntp 23542300x80000000000000001045828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:49.333{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=316011A82FB9FA9C52F959551CBEA09C,SHA256=3239538CF2CA5C468083AC23B0170FCD403355159D0FA6BAA90060C3B351FAEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:49.170{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CB715D8C46A064026DD8E420BEE1D77,SHA256=5E10713FECD6AB14968C519842C06A36737B6608072F98A815CA8D41273DE9F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:49.170{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B37B4B14D29F3DEAB50A96C51A1BE16,SHA256=F6389B53E1D0B9EFC3B71DBB95CC6F0838D9D99AF6128CD6A7F1ACDB41C660F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:50.655{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=814FF18E73D61738AB219D9234312781,SHA256=AD977AB9DD99F1461958D82FF5FC2A78A6C18263108625111ED9A30DA32352AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:47.683{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63333-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001045831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:50.001{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=619A85D532919130759276F45C8E4C25,SHA256=CDCC222059C22935E00B5FD84FCAABDF429867ABB5AD3118DBF584F3F292943C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:51.670{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=119D58D03FC1F1E26F0A40132108888A,SHA256=99D82BC5726CBC490BE3297C43088536547698808B916D567BAF6C653DA29163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:51.017{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9131F5B7319B6E2979A7B16D2A2ACDC6,SHA256=8BB0A45D6B362E1E197C91DE3AE9285EE4A73EFD4D96602B870C7ACD34AB4CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:51.108{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CB715D8C46A064026DD8E420BEE1D77,SHA256=5E10713FECD6AB14968C519842C06A36737B6608072F98A815CA8D41273DE9F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:48.110{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-59098-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:47.685{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59160-false10.0.1.12-8000- 23542300x8000000000000000974598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:52.686{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=254A12DA8CFAC12B0E8A5D24F54730BD,SHA256=027E27532E3749BF841502AC8F455C9DA3EE2F2129055F06BFA02A7BE0A3DA50,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:51.258{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de61775-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001045837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:50.558{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59201-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001045836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:52.216{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3F3F603425E0BC33E0D061400FAF9C8,SHA256=C4A3223E887F75645094A646E6D256C83B78063FD6860D2E9181C4F188700072,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:52.100{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:52.031{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEC17BE2957427656B56863B7A581144,SHA256=BEA57F50AF51AFE48BC3D1A8CF35127B1A86AA96BD225BFCBF9948505C9F1154,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:53.686{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F1E686927255385A253974F28E33C70,SHA256=508874C7CBCACF53CD893431E0B02C031F8EA07B0A67AAE45704109628262938,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:51.923{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65480-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001045847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:53.646{5EBD8912-79C0-6151-E577-00000000FC01}42966432C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:53.646{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:53.646{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:53.631{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:53.631{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:53.262{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:53.262{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:53.262{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3E-6151-3C78-00000000FC01}6364C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c869|C:\Program Files\Mozilla Firefox\xul.dll+e4dd0f|C:\Program Files\Mozilla Firefox\xul.dll+116feb6|C:\Program Files\Mozilla Firefox\xul.dll+e4959d|C:\Program Files\Mozilla Firefox\xul.dll+e31230|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f3b4d|C:\Program Files\Mozilla Firefox\xul.dll+177e8a9|C:\Program Files\Mozilla Firefox\xul.dll+1bb4c30|C:\Program Files\Mozilla Firefox\xul.dll+16c2490|C:\Program Files\Mozilla Firefox\xul.dll+1b5b9aa|C:\Program Files\Mozilla Firefox\xul.dll+177ed4a|C:\Program Files\Mozilla Firefox\xul.dll+1bb4c30|C:\Program Files\Mozilla Firefox\xul.dll+16c2490|C:\Program Files\Mozilla Firefox\xul.dll+1b5b9aa|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000026DBAAE1E84) 23542300x80000000000000001045839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:53.062{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD91BCF0D8DD72C4800AF155F2F9B3B,SHA256=5ABCB6271580CDA110B9B288E13672BAF050460EEEC024664013BD42703A43E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:54.701{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B1D3B7542A3D012A0F7C55D5B375EFA,SHA256=E3E6CF2AE74806E5F69A4A50421584155D0B875A3E61DA0437E729CBD0074A49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:54.832{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8666-6151-A479-00000000FC01}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:54.832{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:54.832{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:54.832{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:54.832{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:54.832{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8666-6151-A479-00000000FC01}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:54.832{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8666-6151-A479-00000000FC01}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:54.817{5EBD8912-8666-6151-A479-00000000FC01}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001045859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:54.315{5EBD8912-8666-6151-A379-00000000FC01}50966480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:54.146{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8D445E077578CB0FCE76C510E274E62,SHA256=E5FCD19A400A493F57144335D9EC94115CB537CCC2C333A3A3E33B4D7561941C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:54.130{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8666-6151-A379-00000000FC01}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:54.130{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:54.130{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:54.130{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:54.130{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:54.130{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8666-6151-A379-00000000FC01}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:54.130{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8666-6151-A379-00000000FC01}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:54.115{5EBD8912-8666-6151-A379-00000000FC01}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:54.083{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33D4530EBFEFB6A6ED9ED8A94B3CE2F,SHA256=8462636E8A170F5C5F55094DDBBADEF81C5C03036853A7CD44D226D76F63C276,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:51.113{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-11208-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:55.717{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C7365D2CF99A44CF3F114A840AA544,SHA256=BF8E18704E8F57B6437F37102A4DBF733A2E3FD28593DBD8342EC2F94DE66F8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:55.834{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46DA8DD783939081FA1317A44DA98BC2,SHA256=51234DB0B7A199A70C89862AD35BC58E7D7803676BAFFCE3062B515F75FCC3E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:55.534{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8667-6151-A579-00000000FC01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:55.534{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:55.534{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:55.534{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:55.534{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:55.534{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8667-6151-A579-00000000FC01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:55.534{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8667-6151-A579-00000000FC01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:55.519{5EBD8912-8667-6151-A579-00000000FC01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001045870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:55.281{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3E-6151-3C78-00000000FC01}6364C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c727|C:\Program Files\Mozilla Firefox\xul.dll+8b9000|C:\Program Files\Mozilla Firefox\xul.dll+8ad3ed|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:55.102{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0337F6B8B440309E27FD6D6C9947B57,SHA256=0ACD43653182B92D6567C2BCC74F278AAEA3F77A76CC0CA11FD728BF6198A460,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:55.033{5EBD8912-8666-6151-A479-00000000FC01}67765984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000974606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:56.717{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33444906655F41C14F2897BD5E76F69D,SHA256=FBB6483FD6E613B3792DF0D090E9E29CF72B220E5066E7605B3EFFB496068A40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:56.849{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F7D4C668D5D751DA535C8DEC25AE16F,SHA256=C86E5D17DA55732E76A7C4F1B8C7F37FEA11A25F9B7554B888AF077133EC4ABC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:56.349{5EBD8912-8668-6151-A679-00000000FC01}55325212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:56.133{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8668-6151-A679-00000000FC01}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:56.133{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:56.133{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:56.133{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:56.133{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8668-6151-A679-00000000FC01}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:56.133{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:56.133{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8668-6151-A679-00000000FC01}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:56.119{5EBD8912-8668-6151-A679-00000000FC01}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:56.102{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43E0585AD2FB041CC9384A542261755C,SHA256=B7F6C74FD20037F9959AB17AF004BFE282E7CB1E9257FE347848BD6D04A6430E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:52.748{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59161-false10.0.1.12-8000- 23542300x8000000000000000974604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:56.201{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71A6C0BD95E15D3CEC323386F1DC2749,SHA256=C54BB59FA6FC7BE2411B7B76FB77674DEEE0505F7C290ECBCB8D3E5FD4705E68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:56.201{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52AF13D11674BBA849FE9EA5F49CC7F4,SHA256=7D9F4A80C5BD1DB0353F00DA62972C3E64A168D85F09D1EC46FE2682DA380807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:57.717{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=836A4EA0E2D3D7B0C23E7537753C83EE,SHA256=BB553097B0A35E23A48B8FE8B161155D567D655718EB54E87B9E3B720FA199EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:57.532{5EBD8912-79C0-6151-E577-00000000FC01}42966432C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:57.532{5EBD8912-79C0-6151-E577-00000000FC01}42966432C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:57.532{5EBD8912-79C0-6151-E577-00000000FC01}42966432C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:57.532{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:57.532{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:57.532{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:57.532{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:57.133{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D08FF44FB089FCACFCDB0BFE42628F,SHA256=4A179C8EDC7E693A10EE1DD0B7B019EBA7B1B8A3A8794692267A1BF270E9B75B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:54.040{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54033-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:54.029{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com45073-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:58.733{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=424DE1F77C5B4EF023FA2EEA693C5E69,SHA256=E1C1A444C36D67457C8CAC5DC6F7A752EF2D6681B711425B1DB32F9892EB7EAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:58.502{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:58.150{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC50146F17718394B6664152F87E3604,SHA256=31D2AD5DB0913EDCBDB33C1FCA9C0F34D3A9207FE54A11B8BC96E168DEAB7C07,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:55.401{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-42310-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:58.311{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71A6C0BD95E15D3CEC323386F1DC2749,SHA256=C54BB59FA6FC7BE2411B7B76FB77674DEEE0505F7C290ECBCB8D3E5FD4705E68,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:55.037{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62162-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 13241300x8000000000000000974614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:52:59.920{69CF5F33-7F28-614D-1100-00000000FD01}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b37d-0x12d8e93e) 23542300x8000000000000000974613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:59.748{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C1A8A4921B4E19108D7EF978BF04078,SHA256=B740EAA9AFE6265BC844CB6447D750C875DB0258902B0CFAFF4F46A603721633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:59.187{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5549111E7C63995BD38C41CF30122CE5,SHA256=001BE61F56144278291750B6F28FD810FD922C5EF08E3C367F4802D0822E8669,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:55.674{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com46265-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000974617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:00.750{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E9D8E1F48353331684F06E9CC22D22,SHA256=D87E2F77ADEC76F0688995254402E39337E5F312C49D7E63976E0520A5BD5123,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:57.196{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-53290-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:00.076{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C15783D752D9F5356D06313DE0B359AD,SHA256=F223D679AC3CBEA07E42F45D8FFE7D7CF3C736A66398EE7AE28EEE56F0BBB973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:00.204{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E87852993ABBCC24488A2B661F3CBD78,SHA256=936EE2EDDB7E9B1B1D9CE518FD8B1ECDBC944DB627340C28F8F2897787E16074,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:57.826{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65481-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000974619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:01.765{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=038DAB293750DE84666F4A67485162EF,SHA256=EE8ACA1B523314FAC4F3C875FDDB4AC8297462A2F981D7CAC248C6E1DF8B100E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:59.603{5EBD8912-7F30-614D-1100-00000000FC01}404C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-429.attackrange.local123ntpfalse10.0.1.15-123ntp 354300x80000000000000001045911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:52:59.559{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64873-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001045910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:01.434{5EBD8912-79C0-6151-E577-00000000FC01}42966432C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:01.434{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:01.434{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:01.234{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D88A614B3A7103DD406823614FBE2FF,SHA256=785C4BD3B0EEC3BD63A4AE768983A42C6FFFE4D42C5F8AC394B7065DD30F01F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:57.826{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59162-false10.0.1.12-8000- 23542300x80000000000000001045906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:01.184{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81155A731CE3675AABADC4C2872D3F01,SHA256=893E10D6E4B18390E34A2FAE09819AFD139E9BFD018AECDA9A88FF7293382F23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:02.773{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F584E509B324D36CD5063E201806446,SHA256=B253A879411A5CAA1B74531465DFFA28286A4D74C3C8EE07B5C2F1A3BF0F225B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:02.235{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC553FEBE7069785B063A74B08DF46C,SHA256=8AF1CEAD2B5B23F6A468DD5C6B5B675CE70410AB45417B56C4CE99380046A51A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:58.986{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-4500ipsec-msftfalse10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:58.544{69CF5F33-7F28-614D-1100-00000000FD01}960C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-542.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x8000000000000000974621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:58.544{69CF5F33-7F28-614D-1100-00000000FD01}960C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-542.attackrange.local123ntpfalse10.0.1.14-123ntp 23542300x8000000000000000974620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:02.000{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DCCD17FD6ECD5BE61E90BBBC3C45C19,SHA256=EC1F2F861CB72B67C1B0130D99163F44FF0EBBBC0735623E78F7AFB1ECCBBE66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:03.788{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F85B2CF86D87EA79BDB6895FD23AE7D,SHA256=BADCD3D3A627181E2B008AD701459AE08127DA503AED82A0438CDD88E4E02E0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:03.265{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84735C1FC09A633AA9321CA5AA43B8E7,SHA256=B9370E74FE922E5F8EFD069E0707D20535AA4D03582A16427D8DCCD6DCBDE2E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:03.648{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB1D3CF9866AA66EDD59B9E5228539AC,SHA256=81524916A75298F9794F790555FBF887F0B7D93A92D3AE9BD4F85298262A1783,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:52:59.946{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49425-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001045914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:03.108{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4289MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:04.788{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38E3573215EEF94705A703B6C209D38F,SHA256=AB3FE250CC985EDBDED230B672C28EA2AD6729590F8F4B00C77C2356252856D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.850{5EBD8912-7F30-614D-1600-00000000FC01}12684948C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.850{5EBD8912-7F30-614D-1600-00000000FC01}12684948C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.786{5EBD8912-79C0-6151-E577-00000000FC01}42966432C:\Windows\Explorer.EXE{5EBD8912-8670-6151-A779-00000000FC01}5416C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.786{5EBD8912-79C0-6151-E577-00000000FC01}42966432C:\Windows\Explorer.EXE{5EBD8912-8670-6151-A779-00000000FC01}5416C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.785{5EBD8912-79C0-6151-E577-00000000FC01}42966432C:\Windows\Explorer.EXE{5EBD8912-8670-6151-A779-00000000FC01}5416C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.765{5EBD8912-79C0-6151-E577-00000000FC01}42964848C:\Windows\Explorer.EXE{5EBD8912-8670-6151-A779-00000000FC01}5416C:\Windows\system32\OpenWith.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\Windows.UI.Immersive.dll+1d16|C:\Windows\System32\Windows.UI.Immersive.dll+2362|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.765{5EBD8912-79C0-6151-E577-00000000FC01}42964848C:\Windows\Explorer.EXE{5EBD8912-8670-6151-A779-00000000FC01}5416C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\Windows.UI.Immersive.dll+2f6d|C:\Windows\System32\Windows.UI.Immersive.dll+2213|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001045942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.765{5EBD8912-79C0-6151-E577-00000000FC01}42966432C:\Windows\Explorer.EXE{5EBD8912-8670-6151-A779-00000000FC01}5416C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.765{5EBD8912-79C0-6151-E577-00000000FC01}42966432C:\Windows\Explorer.EXE{5EBD8912-8670-6151-A779-00000000FC01}5416C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.765{5EBD8912-79C0-6151-E577-00000000FC01}42966432C:\Windows\Explorer.EXE{5EBD8912-8670-6151-A779-00000000FC01}5416C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.749{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-8670-6151-A779-00000000FC01}5416C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.749{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-8670-6151-A779-00000000FC01}5416C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.749{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-8670-6151-A779-00000000FC01}5416C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.749{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-8670-6151-A779-00000000FC01}5416C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.718{5EBD8912-7F30-614D-1100-00000000FC01}4041624C:\Windows\system32\svchost.exe{5EBD8912-8670-6151-A779-00000000FC01}5416C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.718{5EBD8912-7F30-614D-1100-00000000FC01}4041624C:\Windows\system32\svchost.exe{5EBD8912-8670-6151-A779-00000000FC01}5416C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.718{5EBD8912-7F30-614D-1100-00000000FC01}4041624C:\Windows\system32\svchost.exe{5EBD8912-8670-6151-A779-00000000FC01}5416C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.718{5EBD8912-79BF-6151-DE77-00000000FC01}43084552C:\Windows\system32\taskhostw.exe{5EBD8912-8670-6151-A779-00000000FC01}5416C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.718{5EBD8912-79BF-6151-DE77-00000000FC01}43084552C:\Windows\system32\taskhostw.exe{5EBD8912-8670-6151-A779-00000000FC01}5416C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001045930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 08:53:04.669{5EBD8912-8670-6151-A779-00000000FC01}5416C:\Windows\system32\OpenWith.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids\txtfileBinary Data 10341000x80000000000000001045929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.602{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-8670-6151-A779-00000000FC01}5416C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.587{5EBD8912-7F30-614D-1600-00000000FC01}12682136C:\Windows\system32\svchost.exe{5EBD8912-8670-6151-A779-00000000FC01}5416C:\Windows\system32\OpenWith.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.587{5EBD8912-7F30-614D-1600-00000000FC01}12681316C:\Windows\system32\svchost.exe{5EBD8912-8670-6151-A779-00000000FC01}5416C:\Windows\system32\OpenWith.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.564{5EBD8912-79BB-6151-D077-00000000FC01}46125756C:\Windows\system32\csrss.exe{5EBD8912-8670-6151-A779-00000000FC01}5416C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.564{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.564{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.564{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.564{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.564{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8670-6151-A779-00000000FC01}5416C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.564{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-8670-6151-A779-00000000FC01}5416C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.547{5EBD8912-8670-6151-A779-00000000FC01}5416C:\Windows\System32\OpenWith.exe10.0.14393.4169 (rs1_release.210107-1130)Pick an appMicrosoft® Windows® Operating SystemMicrosoft CorporationOpenWith.exeC:\Windows\system32\OpenWith.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-79BE-6151-7ED6-4A0400000000}0x44ad67e2HighMD5=196A5E5EF42F8CADACD75FAF17E18689,SHA256=8E9759AE4C7644BC975A2A33BC9E4D17C39B4D6DAAE19F7401181C05DC9D1B90,IMPHASH=3DC53F3258E7C5C7131E7C13F7BD06C9{5EBD8912-7F2F-614D-0C00-00000000FC01}828C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 13241300x80000000000000001045918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 08:53:04.533{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids\txtfileBinary Data 23542300x80000000000000001045917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.283{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49033DECCAD0B026B9A1EB9355858AB0,SHA256=1E9F4752DA63E00C0F62DF1014A75540AE9B8974339ECC2D32B1D3C39820469A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.118{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4290MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:05.835{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64DC35D0E2E64AD0482763B0480FFD4D,SHA256=1A71AE73BB1C96DDE37E58A063A6E29EB5D62EE562112CC76378DE41DC5BE69A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:05.804{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478529728E337E7DB0D31468B528E8ED,SHA256=DA4C2EE7F2A4151F16A53CC266AA919C771F442047E62AD787788EB1FB9E2E45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:05.702{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78455755D44A2F2C7164B9B2B57523A7,SHA256=644FA40D00681076E8EA3DC22CCADF2F2203F00790A771757766B39EE51959A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:05.702{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBABEA5225C9108A6DD28EC47B9EBD89,SHA256=262FEB512B14ECA6B1831943A0821F2AD83044A1ACB1923B24F331FDB31DC912,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:02.741{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51127-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:02.060{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-15714-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:06.804{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DACDA4ED0615F17E4B5861F8889E2556,SHA256=B036961F2046B0F1B33A34A2EAB1EB6D285F26B0460E2200A558D2D5B3B8E415,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:06.817{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC61F787D23ACB30F8E5EFCD6DE6B0A,SHA256=DC6E217D29930B8F8EA0FF7526601EFC356D1A56CE90B2C976515D04F243C4C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:03.788{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59163-false10.0.1.12-8000- 23542300x80000000000000001045954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:06.564{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=770E9B67E616D00B1BE93E038B4F8C4E,SHA256=3A34792EBDE7008FE6F0D12EC33A16356641EBD8B87365A22B7B384C001F7971,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:06.286{5EBD8912-7F2D-614D-0B00-00000000FC01}6244660C:\Windows\system32\lsass.exe{5EBD8912-7F11-614D-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001045952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:03.771{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65482-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000974636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:07.819{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2C665E34819792D6907A9DDCAE23E92,SHA256=00087150C2CF41F46B0F52E3776D97380182E3C23816EC83191E294FD770CD3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:07.831{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D42EB5D44EA69ABD2D65AD6655FB755D,SHA256=DD837D02F4FC2BF9BC48AA12D243098AE8C13FE0C4E6E86678D8CECF0D8740ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:07.335{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA0394ED9842A2CEB53C9C3D629AA9B5,SHA256=EB1A128B6D2B442D82625CF42DABE2C60979658D50C4E26E0BC761B4A55D6313,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:04.924{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61505-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000974637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:08.819{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30B306EF9F0E94D271D0DEF8A23705C0,SHA256=C3DF96FA439AD3A7C68D5537A58C32E7BEFB3F21D455E67B0A3DC298485D34BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:08.846{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C08A6E7D68FCDAAAD0A1B87F6246CA28,SHA256=068180FCA216467A77D08F2FA4069BDFEDAE64EEFF076DD9428B38345CCCEFB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:08.380{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A333496D5B3B5376FBA1483907301661,SHA256=2EAB3E113540EA5E6EDD86711BF69A722449B6C167B54E8278CB6B7015E00134,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:05.975{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65483-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001045958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:05.975{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65483-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 23542300x80000000000000001045965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:09.860{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CC578FD9A41DD7C56CE59B3A450E5A7,SHA256=F5A346A85D06F241D17B46BB85564FBCCAEAE59D5DB16FA7A9E8EA405F21EF6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:09.835{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8AF74436A1B7D83938E1EC38556DD20,SHA256=7A605365DBE7AB7D5EDA97CCDA6B12E98A2AC3BBBB2875C24D17FE711CC9E4D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:09.561{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20810EBED2576CB64B5A2FFEB8273321,SHA256=3A860F76B3AF7AA873B7EABB435F2E8CB3144ECA311F6809C8505FBD5088217A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:07.440{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53351-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001045962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:06.766{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62839-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001045973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:10.881{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B72F1B0E9C04CA9BA6D13886DA6DD131,SHA256=EF9AD25136CE9D9F6488B89604985945EC2C311EFACFCE5B30DA10D79E4C68F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:10.851{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B51EA8AEFC286219B4BE7883DA9C2CE,SHA256=35B3FC559FB6C1A7486DB2E69B50181B16E7411F74FA34B6A11A63D817AC0D7B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:10.360{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:10.360{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:10.360{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:10.360{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:10.313{5EBD8912-79C0-6151-E577-00000000FC01}42966432C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:10.313{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:10.313{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000974641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:07.419{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-46681-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:07.230{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53886-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:10.210{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BCFDA58C41AD3982BEC24FD260638FB,SHA256=D5DF6CB263F45061EAD074A03A1EBBF633D08FBD4B37C00DF5550C94EBCB0184,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:11.896{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C0F7277814BBFFD4B2C6F5F1616FA7C,SHA256=5430FCE3F172FA96606BB647F0CEE37DADD7B6C2E0B48A54569B0328842CF11C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:11.851{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC41B7E7BC44765AFCDA5481CA56AABE,SHA256=20FF112F8E9DA78A2B30E8B0457A5171B085FAA9C67B2D26B4FA320D27FE3377,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:08.906{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65484-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000974646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:12.866{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F600D860966AE18AD6ADFB2ED802958C,SHA256=F28C5F44042BFE92FDF1FC4787BB473E0EF13AC5AB5300CAC38947C17828352C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:12.911{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFC4A1024B2EA7FE4518F86966EF92E6,SHA256=ED57E52DA8C1E6A1F2D266A66864B369CA0D5CECCE5B214879B9549FD7CD3C6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:10.520{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55524-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001045976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:12.227{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA2926DD2DA2AA4EAF5E04A6A16ED2B7,SHA256=D8FC642BDFAF227498247DCF55EDA892292E8DE76433322A7D75111552312ED0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:09.819{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59164-false10.0.1.12-8000- 23542300x8000000000000000974644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:12.663{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83725C365F4D7C23B05B3EEED6ADC2A8,SHA256=EC9092200FEA08B3A1051AE76FFDA5760955EF633F9681D61EFDCD57D32A3CCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:13.942{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A680B4C30333511EC7C177CFD745A5,SHA256=568183E253EC2CD65E8A023172420EB2ED52116DF9FC53232FAF40D7E016884D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:13.882{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C36D6319CBF5250E5084DA5F37DED6B5,SHA256=C5A0C6D6AD8F47C51804B4A669F2C4998FB0E964DF06550F364E0C14AEE00612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:13.272{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:14.957{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=337489B19ADDAF0A184C30B1A08F01CC,SHA256=187FDC34F38AE2860CB8C8EFDAD0710510AF7EFD4915DB1F9F112CE8CA153567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:14.882{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B2A461FB68BC585EE136496D62A4D0,SHA256=E3850F7648D435DB846340F57B5182486D0AC5305D79DD2A1C0501DCC023FA50,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:11.897{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59165-false10.0.1.12-8089- 354300x8000000000000000974650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:11.280{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-51072-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:14.022{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=009D8EE5DDCC96EC05A90B4805A37942,SHA256=7C14B6BC74C37E5F191163A4B9F734A7112A96F2F6408FAE54E3E25FFBE564A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:15.974{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94EBECD9DF45ADC106EA726FAF5D04A5,SHA256=CDD4309CCB5DF9D8AE90763293457D4DA77D89B76BB5143DACA59058603CFD9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:15.898{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13F94ECA226FF044B3655C98175D830E,SHA256=BE4E7EFA02D20E27378C9DDF49734070F2B2BB5A8A71DD143AE86E88F9879258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:15.866{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=241F13BA7264C90134269B6FF4FE3465,SHA256=A20F1B507235662CE77A764B5BF6FE79098C8F266A63D5D34E1215B030A77D1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:16.929{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8C9C54AA4991B8739FFB79174A22C6B,SHA256=8DBE453845D3D92722FC2D7449122AC9AD923B7F9A4947D1362028D3AC150063,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:14.818{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65485-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000974656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:13.207{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-53290-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:12.741{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-18939-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001045987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:17.825{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001045986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:15.834{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65486-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001045985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:15.834{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65486-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001045984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:17.210{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C506C870CE42F1C25604755A8E9FA8E4,SHA256=73B3AD4B5FE888A2977D6C7D7F8F00830F1CAA609D3F43B92DEA7B2563803D1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:17.041{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4465A2C99CD11DA177A3F8DA778079A,SHA256=208D5984843A3FF9168488A6EC8BB329441B3574F4AA49A30DAFDFE13D590D9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:17.975{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D108AB2B5133C043F7FAF3A0D7AB4D3D,SHA256=D0376B4E1055C598C258B10089CA2C039A2569CB7519F49BFD53A012C62039A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:14.881{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59166-false10.0.1.12-8000- 23542300x8000000000000000974660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:18.007{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A38B630A6155F7FA315BA4CED8F9F442,SHA256=0CCA1BCB5A61F838E9A827AED6B4A73E20F6AEEFE1386D655311FE77C6DE01E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:18.240{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=711C75E0C084CCECB343CD02E1668246,SHA256=C6BD8BA775098D3B2C426A2F66BD173F906041AFA5CF6F89E8DB8820474939B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:18.124{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=BF25F86C58E906CBFA40C972811A71D8,SHA256=208B2C44EA7115A56BD60B7A4AA2D92EF1AC14508BDFA33BA7004D0791B731A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:18.124{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=B596FEAA71CDAE80DE9667BC3BA1A0CD,SHA256=A195248466C82F9D457FB92DFB961FF8B01E3F38CF3F21ED596E80FFD38236BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:18.124{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=C4FFAE98B793EBD18B612434BDC61D5A,SHA256=DF2ABD5EC84AFB37AD39B01DBF0FBF050E23BE0937A8733F6922A7F514C8AA5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:18.124{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=E934B10F18A561238175ED16C2BEE40A,SHA256=A8170EEAFEDECF7CB17A8D1B76C9AC8521610D5CE90700C12A64F4FCECCBF0E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:18.124{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=7C370C724695E732E8880424B3B19B18,SHA256=834B8D58F2CF4C039A43A3BA0B8B6931B6F912F1B75A8CDC5CD3A4440AE3A8DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:18.124{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=13BFCDB54F53A79090122B091EA8B444,SHA256=B079C8C5BB495E1911B8F3734AD90E2421185C218F00F84E86DB0F265539A9FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:18.056{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59BD1E1B1BEB9B505F99A875646E4FD8,SHA256=765F8F4332C5C05A2BECD9916AE3CB4B3F9C162BEF76F39DAC70A30168C7E639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:19.741{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADD11C37463BEE882DC99C3E504D5C92,SHA256=750433F9961EBC3CD9480EF3AED12B4BDC037401DAD99041750B066703BC9F35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:19.241{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E2049EC11937FF8B55BA4BB8AD25B7C,SHA256=320015F091904E5135AB96D8D8EB26A06628107C3065A2DE15B301069B51AF53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:19.074{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B1116366EEF10034D1D24E01C3970A3,SHA256=CAE890F9B47E6B97F0A4CCDABF3B31761E0F4A23A21D91EE5CCF55B51BA5B686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:20.397{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=541C930B4443DF79CF400ADB7C13432A,SHA256=DA976A1DF5C4EF2F7AD287974E6B05A354521FB7AD4EECEC0D5F19E261E72F78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:20.837{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BDFFED1DEA2F75D7EE7D2245A42487F,SHA256=98D0658052A6FE1F4348503262F5DDBF59CF6563F48CC727AEA77C556E654345,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:19.031{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60753-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001045997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:20.222{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53642CE51EF677D24E9217667D6F3A88,SHA256=28C4DEC2F4FC834EAEB9D3EFBBC7C541E33B3C855E17C8166D9F68A29A6464C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:17.221{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60134-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:16.863{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-49992-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:21.429{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4851294309A38AEB115BB463CA0C620D,SHA256=2353BA10672B1EFC2D19A6C6B70C6DBA429C64EC8A7229A31897133E2C64AEFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:21.993{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:21.238{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E143F521160CEB29CAC2CB1B37CB1B,SHA256=714CF88F82A8F0BEFEDB4FED6AFFEC6B18973DD4FB04A1080981CCA496AD36DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:18.583{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-1371-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:18.392{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61129-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:21.194{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FD53D4809AEF979476F8473B57FBFF0,SHA256=91377FE1C6BE552713AF0870528E6CF0317CECD834A310CB08DCC30D3B4C9F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:22.241{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A4661A124AF2EA0CEED4A03A3D0AAB,SHA256=311168A0810ADE3D9D4CE7CD6D5C7C96C95DB2AD9D9AEAC4E918470BC8E1446A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:22.477{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD5F22DD600ECC19379D68334A00D33A,SHA256=38E3A709F470744CEF48928406BA48908B011B9F1B8E8999C0997E2384357778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:23.524{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE9135FDC94157FFCDB178B51389059,SHA256=6787509C74B7D24A3E7578379829984F4AAD80D441B55291F373812A672B304E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:20.861{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65487-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:23.256{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54A39CD5DB7A6569916B82986C2517B9,SHA256=28FAB9D5B91688063642FBCF124839DD5ADC42029C60CDB655B669F0385F6F9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:20.424{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-11948-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:23.258{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE305A87E43D581E868482016C3DA3D5,SHA256=4112300EC6B84452003B0C17936647A3D335D4318F89F5D4E3CDBED1561690F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:24.883{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9896F4B994F70734E61B03D4E7D305A9,SHA256=8A84687382155D11F28C3A9BDADC55069884A9992CB5B3020B9F3CE12718A7FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:24.758{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C9480B44AE9D72822287A2811BB999,SHA256=945B651AED7C08DD0B9B86B3B541DB8E51C692081C965C653982D08B3589340A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:24.256{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F3776C8856F7EA9D7E74A5BBC8891B,SHA256=5BE9DD9A74E3AE16572C2AB523DB0D79EFA8E403122CF6572F1005C331C11944,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:20.852{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59167-false10.0.1.12-8000- 23542300x8000000000000000974677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:25.883{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5493AF957A77A6746108860F2E8F96E5,SHA256=AB1892AB188324DCC1899F3DF073501883BBF44EF400E4A77664A4B06B32ED90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:25.274{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EBC09ECD6322AF706CD424D1FB004E6,SHA256=693FAFD1E9D91AF0DFB4F2C1BFA015AE2A413710D774235C20BB01D47DA4ED4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:26.278{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2AB94B8BD5BE96F2552436A4570299E,SHA256=8A0457FC551DDFCB32286122E7C4481A5A1EBABB6DED7406DE189DCF4A13742F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000974708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.836{69CF5F33-8686-6151-4379-00000000FD01}9561872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.680{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8686-6151-4379-00000000FD01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.680{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.680{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.680{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.680{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.680{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.680{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.680{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.680{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.680{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8686-6151-4379-00000000FD01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.680{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.680{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8686-6151-4379-00000000FD01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.665{69CF5F33-8686-6151-4379-00000000FD01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000974694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.524{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6AA4EC1A65A3EF3E22FFB055A8BE7412,SHA256=16497079AB9782424776FDCF3698F2C8F039595067BBDD24025A45CA2150A5AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000974693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.414{69CF5F33-8686-6151-4279-00000000FD01}33603588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000974692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:23.731{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-31393-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:22.100{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-21897-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000974690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.071{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8686-6151-4279-00000000FD01}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.071{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.071{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.071{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.071{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.071{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.071{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.071{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.071{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8686-6151-4279-00000000FD01}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.071{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.071{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.071{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8686-6151-4279-00000000FD01}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.056{69CF5F33-8686-6151-4279-00000000FD01}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001046009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:25.888{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.75.145-65113-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:27.308{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD1895357FF0F1DC72BB39E8DEA1AFF8,SHA256=BAF7BA0DA5788903C8640951362815C11761C735C1EFA6C1C417F55CF7A6FBC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000974737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:27.977{69CF5F33-8687-6151-4579-00000000FD01}7882680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:27.836{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8687-6151-4579-00000000FD01}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:27.836{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:27.836{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:27.836{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:27.836{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:27.836{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:27.836{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:27.836{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:27.836{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:27.836{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:27.836{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8687-6151-4579-00000000FD01}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:27.836{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8687-6151-4579-00000000FD01}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:27.822{69CF5F33-8687-6151-4579-00000000FD01}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000974723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:27.743{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD20EAECBB5D227560732386D9398BD0,SHA256=AE3865BDD492057828DB1E5F61C24078AE506127D5F15F3FDFD0553BE80278CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000974722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:27.196{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8687-6151-4479-00000000FD01}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:27.196{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:27.196{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:27.196{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:27.196{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:27.196{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:27.196{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:27.196{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:27.196{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:27.196{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:27.196{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8687-6151-4479-00000000FD01}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:27.196{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8687-6151-4479-00000000FD01}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:27.181{69CF5F33-8687-6151-4479-00000000FD01}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000974709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:27.180{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A6B0199516A821E599BD4F38E4A87D,SHA256=20526A42331EF4D531AF1F2FD6701F7121A9488C1CDB8B146747CAD270B91DEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:28.836{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0413A689335617F25D5E375758D2B186,SHA256=A594352871EB997C0D2527883529270030BD86E378ED30B5FCD115A8EF018072,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:25.371{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-40998-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000974751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:28.461{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8688-6151-4679-00000000FD01}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:28.461{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:28.461{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:28.461{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:28.461{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:28.461{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:28.461{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:28.461{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:28.461{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:28.461{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:28.461{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8688-6151-4679-00000000FD01}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:28.461{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8688-6151-4679-00000000FD01}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:28.448{69CF5F33-8688-6151-4679-00000000FD01}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000974738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:28.446{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D07D7707E7A3D6CB20683F127739B85B,SHA256=24F3198B03B4CAEC144F138F26E6B29F2D41E40FDA7FC8CF462FEF5299FE76E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:26.853{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63213-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001046013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:26.747{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65488-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:28.458{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67DB62D3E15F73EFD6B9064650C069BE,SHA256=EE3F5417207BF1D5B94A64AA237649B65209185069765421FE1F3894BCF45724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:28.458{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF17ED78187B421C2FCBE09DD21FE05A,SHA256=845A1EBA6BE34FBB323FA61C4F74FFE085A07267014D2E3A6465EA05B4BADA6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:28.342{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC4C026410625883CD34A3D2143E2AE,SHA256=2EA22E36C7C5882E9A2304C2D98EC1CE46FBAB8B77569C6CD9A0F2BC35B9A062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:29.883{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C503DAAF82423AC6E7632A534245190E,SHA256=1F5797E1CCEAC44032E886BA0C3A214B4492FC03F850A3F58D5F20C52D45AEE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.436{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49590-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:29.696{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D2A9E3453EA3244027C76939B68897E,SHA256=423D3ED431DA07FF0A32A6FA75E749E0951E29D8C6ADD3EC9421D79C3BFE52A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:29.381{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C71F4065571E9BBE73D6E951546D626,SHA256=3A6A58C990D13A422C15097A516A1DED9DF08076B2D6050D100454839BCF8F42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000974767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:29.242{69CF5F33-8689-6151-4779-00000000FD01}39042848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:29.086{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8689-6151-4779-00000000FD01}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:29.086{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:29.086{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:29.086{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:29.086{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:29.086{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:29.086{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:29.086{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:29.086{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:29.086{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:29.086{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8689-6151-4779-00000000FD01}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:29.086{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8689-6151-4779-00000000FD01}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:29.072{69CF5F33-8689-6151-4779-00000000FD01}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001046015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:29.274{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000974773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:27.052{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-50734-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:26.836{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59168-false10.0.1.12-8000- 23542300x8000000000000000974771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:30.727{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B02594CC33DB720D4F61497DB4C187C6,SHA256=1A0A16DDFC6F43A54323AEAC51F31D72360F26CC3D9BC48E81AFA42EE09A1E2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:30.839{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:30.470{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4F3FC626B4DAA96D37854091613E29,SHA256=E34BD2780BAEC370600D79212366E91285296CC2238FC07BC38BCC2BEC7F6ED3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:31.946{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E947FFCDBD3AD10B185B2005B8F22981,SHA256=56B883C3D5F3C5EC2AADF3BD20C3D53D3B816FCD7712F0C00FD14B9598CF02F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:31.489{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=797C5581328DD0B1FA7DE2A6B568B670,SHA256=B00A262DD36CC2F9A28619AABE63BDA0DBEBF1A323FED7B4069A7A8744E7A57D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:32.494{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642425C531DF07962D7AC092E4FA8362,SHA256=68EC25B36F375E870C9F8205B9C675C602F55CFA6676AC5F57B3DE23ACFA3811,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:32.414{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4EB1181D30AADBB4A2E532FC14562FE4,SHA256=A5BBD2DDA3DF4CA8873E2F9A74C83637D7B9DE65DAA553E7B5C5BF36C2FE27E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:31.881{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65489-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:33.511{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E493B60392751954C1F7A7D10A776FA9,SHA256=42777623C9B5865AFA201AF27BA38344C706E067D68AC4DE5AEF420CE8A604D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:30.053{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-1983-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:33.071{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB274DB846DDAC9402A092D79DEA112,SHA256=C9E8F1B85CE6C7544F4E59DEEF02B7ED430C1F8B48A0FD0FBFBE8345C8D94F33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:34.513{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC8554577E1E98DC3D73D74C263E835,SHA256=9F943F3800980D5AC56734EB4C355C2C30685173CED413E9360A35D0F7036704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:34.071{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A220FD640F910E3665B145FD7239208C,SHA256=E8D8A7F1C2C531452DE3AD1C9B9E879C5EC4A09B335EE7249AF6457DB66F1A35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:34.227{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=9AEB7EEF2DAA1F7964163E57D9FCD894,SHA256=8C6A0670515374B6ED15AA60E20F1CE02B8C4C5DDD93DEA6E5B9C66F57750503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:34.227{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=B2C11170D59788C546007FC1DDE7CF7F,SHA256=0007399DA08A5D96B8110D3B1A9C7BF9826D2D5553FBC2141AD2714E43B07542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:34.227{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=087D9700902FCAF1A8C409D1729B2141,SHA256=84405DE3EAC45B06D7648C2483B9EED858EC11034D73A3978A50B0CB689EEAAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:34.227{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=6B8A4FA9EB585D8504812CC6D72D9A59,SHA256=FA2D30EFE98FBDC62807B6770C7DFD4AD90EC8F19B934DD87C92B0BFFE7DEEC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:34.227{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=6238822E4617FF63C9A79FD9AFE58926,SHA256=B8E71E3AF678257A948D2E497ACDFA15FF8DBA45AAF2C16EA375BD666B426F54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:34.227{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=C021A9CCD063791382EA4C9BD24C18DD,SHA256=7B1F2014882A1A3139A2140DD4576D3CB693CF693156D807B29E1FEE59475AEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:35.527{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5D9D2356EEAC0B5321BB85614343852,SHA256=A1618A5936DC505B9FC52E65EFBCF258203B50504E5219C0C479FC88C21088A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:33.246{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-53779-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:32.852{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59169-false10.0.1.12-8000- 23542300x8000000000000000974781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:35.305{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F22B6D0342D36889F4E9E31FD2F4A22,SHA256=87B224EF5E5CB5E24242A3CD9B02F97C47D4117D04E597186202DE39947FA20B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:35.305{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C20A0F54C801A9BC7AF3997568FBA4AE,SHA256=A6203C47D5DC3021AB0CC501D3B71DBAFF5B45DE536A6F2654A277808BE042A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:35.071{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9DE8B8026489FDCB50E58CBD5A22E0E,SHA256=C52C9D2B942D4123A9DFA9325486CB6AA7E0AD14D588A04C5BE1C7BEC1867718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:36.543{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99E4BA2B525F285A5D73175AE26DE142,SHA256=7847E4C95391C8CEC228D15C0089B495005F72D323B8208B2A8F478B7098EB24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:36.166{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4290MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:36.086{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB7045E5D407F86B6306312354204D12,SHA256=79A9D1DD819F086F37AE72298A4E1595DA8F3413FFBC7ACCF889AF41420B2F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:36.227{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:35.903{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65490-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001046033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:37.558{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD26D7FA0B087BF2A95DD32A3AC8A377,SHA256=BD9C3A98576E2406F14605217BBA916C6F481939306D6F3AB149BE493F19D140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:37.181{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4291MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:37.102{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F7CECB6A107541B68C89B80AF44826,SHA256=D78832A5C3F347A698D53276B007185FEE300C185E098A908E2053DF66F8111B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:37.070{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F22B6D0342D36889F4E9E31FD2F4A22,SHA256=87B224EF5E5CB5E24242A3CD9B02F97C47D4117D04E597186202DE39947FA20B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:38.576{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF1BACC3CC0800A5FE23314014A00DB,SHA256=77F6DCC0D158FF4BE0EBC34F94F74E2D2A4AD7D3144DD2784F82D83C29E7C42F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:38.106{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=153BDA1A2E392C878413B785357666E7,SHA256=5A36734DE227BFDE871D523ADEEEDBC4B51BEC88DB8D577D39290AE59ED8B137,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000974803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:38.059{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8692-6151-4879-00000000FD01}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:38.059{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:38.059{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:38.059{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:38.059{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:38.059{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:38.059{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:38.059{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:38.059{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:38.059{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:38.059{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8692-6151-4879-00000000FD01}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:38.059{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8692-6151-4879-00000000FD01}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:38.045{69CF5F33-8692-6151-4879-00000000FD01}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000974790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:35.169{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de63737-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:34.201{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-33151-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001046038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:37.804{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65491-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:39.662{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7187CBC900459F3ECB4CD6560C6A57E,SHA256=C7692A73AF8BF3FDEE91878BCBA9CB0A342A2CB65E0AD201D54A0668735BF167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:39.106{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74065BE042F8304AEFFF8C4474122D02,SHA256=F53C5B33BBE46D7CBBE4CAAE73E48DFCAFD5D9316F6152209AD3795957B0F6A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:39.115{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=796CB975111D8B2D22D6254502C2E93B,SHA256=F092E36253EF1E10698AB359CF49130A78A71E7D96A683C2B7A8D895CBE35CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:39.075{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C5EF0966F07170E44DECFE5287B1E73,SHA256=A950BF37721BF0F723B020C03C84D775B4889B6DD1008BA8BF7397F3F99A0E2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:40.718{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1414B1D0CB2A36E9819C1028CE4FE4A,SHA256=0890E1451E3F1DFB2F88321265F18C73615B70AA805E97B30563FF154C7B7B77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:40.106{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=094F2A0F4BBF2E402B6AEAC670F57535,SHA256=C56E3D5CE24EAF79BEC427D51512F3EBE3D39C008BD940D2F2C71C47024BFC42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:41.720{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E2CFD9202996F78C2BEB386165FBBF,SHA256=D4F8E2A4BFF59E6F4843F9BF0D6AD922836E9C1156EB48C60988AECCB15D4D80,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:37.333{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-43814-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:41.122{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=482339D2726DAE068CA5221F9627093E,SHA256=36C183FDD8C5D06C53D7961081659E7597E28D8A91A2E8B7E80C0C1E2290BA20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:41.288{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:42.739{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DC8A32F8FAF37AA0FD45887FA8C7968,SHA256=AF64CCDB938ADBBD9AB95EEA536BEE1C7F4666A3534FA33172504F9FF10DAE82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:42.655{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5605ABE5EA41986C7CA2337B64409C17,SHA256=C49A54F26F842E2EF77E7D180E5ECE019CEBC2E36F9D23ED88B57457280361D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:38.763{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59170-false10.0.1.12-8000- 23542300x8000000000000000974810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:42.122{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EA5BD0FEA38E0E0D466C75B8B62E043,SHA256=B2717E70271BD751A10D0A10E8BFCAEA3338EC9312A956393D327177EE6365A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:42.003{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8ED079C3DA81400579AC86CCB248AE3F,SHA256=E246FA55B9B84B8DBB1471E25280FA4A5C03E55BEF0FA726613F752AAA27A698,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:42.001{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67DB62D3E15F73EFD6B9064650C069BE,SHA256=EE3F5417207BF1D5B94A64AA237649B65209185069765421FE1F3894BCF45724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:43.787{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7BBBB1F1B0FDA483698F370161BB5E8,SHA256=F2435A6F90E2EB4344E33C95BA74D8FBA7C5D4E92A211425682EAF849A5801A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:43.248{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91005F2C59058D4ADB7E0D213FC2F971,SHA256=97BF8A4A260063BE94332F7454A0D43C498E016A9D0660919BF508BC3F59A492,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:40.119{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57583-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001046056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:44.927{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:44.874{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8698-6151-A879-00000000FC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:44.858{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:44.858{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:44.858{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:44.858{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:44.858{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8698-6151-A879-00000000FC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:44.858{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8698-6151-A879-00000000FC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:44.844{5EBD8912-8698-6151-A879-00000000FC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:44.790{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC07669EC16CFD2265ABCF8593FB16BE,SHA256=7370DD8BEBD22B91143C6C9D9AD9E17F49461798945C4EA56CE510E531FE3D29,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:41.512{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-17005-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:44.388{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BCFB6BAE1B59DCFB218B8DE438C6E5D,SHA256=3CDC68A049AAEC494D92952DCB043A06BD56019D375B43D459827F0857B4D539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:44.357{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E73399C262148596BDAD0501192134A1,SHA256=D15E1986DC551A7D512C28992A3C23666BC89A621B7D99F56AE7D70D8C5D6DA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:45.971{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8699-6151-AA79-00000000FC01}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:45.971{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8699-6151-AA79-00000000FC01}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:45.971{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:45.971{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:45.971{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:45.971{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:45.971{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8699-6151-AA79-00000000FC01}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:45.958{5EBD8912-8699-6151-AA79-00000000FC01}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001046070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:44.236{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60152-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001046069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:44.140{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61462-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001046068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:43.832{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65492-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:45.824{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E147229D9714BD5B3B4735F1C5EA728A,SHA256=B1D746ABD42D9E16FEF3D97D0F8505546CC8DDA071F2487E153F7565D887C68B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:45.451{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD116F11CB505332CD5AE0BB5171BC62,SHA256=4D670B7938DC01337634A722094417B0E013A83422543DB971278038194AD15F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:45.758{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8ED079C3DA81400579AC86CCB248AE3F,SHA256=E246FA55B9B84B8DBB1471E25280FA4A5C03E55BEF0FA726613F752AAA27A698,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:45.483{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8699-6151-A979-00000000FC01}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:45.483{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:45.483{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:45.467{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:45.467{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:45.467{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8699-6151-A979-00000000FC01}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:45.467{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8699-6151-A979-00000000FC01}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:45.446{5EBD8912-8699-6151-A979-00000000FC01}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001046057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:45.240{5EBD8912-8698-6151-A879-00000000FC01}49526872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:46.957{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB38E0456182F9D1F7AA72F4CAD83D5F,SHA256=B2DB59BBA0DFF30327CCDC1EC8DFA5F374993D2253399E5DCA38000D4E4789F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:46.888{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=6852435AAE29CB2769E4F1DE78DD7EF8,SHA256=26F171F7EF9B3970B10C1770A8AB6036638906A8A1FBA352FC2248CE1905893B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:46.888{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=1916854BF3F423B71D083D0C77BC13C3,SHA256=6E09060E26C02B1CAEC249E2C4E8565BD0D8F9D2C75536EB8382E8F656C5AA48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:46.888{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=AD18501D0EC5BF1857A9679460933529,SHA256=BC3F907BB18EC2CA64145604A9D720AD3C71F47376A259418AB377F130B33465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:46.888{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=535E22AC9C8AC9FA83D2EF2035BA5977,SHA256=AE339003A01C1F68FBDA660E05CC1C87B23A46BB6F9AAF65976C44EF7D8A8BD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:46.888{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=B6D54A5482C7A4377E18A9CAAE7C18F0,SHA256=7B6B716A479A18B7394560BC4200D60E22FAD7EA864619FC0EECC7B35DF432A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:46.888{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=C0A86D7E9579D66A1866D9126EC36AED,SHA256=35074E9463970F11E7E56883871E880FD3027D58955A332D50863333F2BE7B91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:46.841{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19128E7E22B9C856FE12DB150F3567ED,SHA256=BF13495AC01EE61A08C6B65A8922B2F73963A3FB0D07C5435422C12DEFA9DE98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:46.685{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEE184D848F8FDD01164EE8EBA13F4B7,SHA256=5E34222C26CE5598624B604FC777A44F7544E1560E16F3B577BB32A77662381B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:43.220{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-27087-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:46.014{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=243A665DF61354EF8CA50BB05AF34A0D,SHA256=8E4BCD0E1E3F04CAED66397F705F3F44CCB53476573D07E35162E8865D00E8B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:47.779{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC9703D0C7B8AC6897830AC0A23B7573,SHA256=F02B61B826920F8B08457F6737AD17FB7F8920F22FAA2DF8144E7615B5FBB906,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.888{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.841{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=947E9810F246F7D9B9DCE2355E649DFE,SHA256=D72EEEF5A5FDC048E7D64A9EC97C398A00AFE7A6CA72C0897E4B6D4513E5B7FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:44.748{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59171-false10.0.1.12-8000- 23542300x8000000000000000974823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:48.826{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD037E36283C3C776FF7869F2D796D89,SHA256=149E430C99ACCB733CA3F0CBEC4087A35870083F64F3BA67308B34E001258539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:48.889{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFE0D65673CCD1A917E8F4AC4ADE0CFF,SHA256=BE35A391DE3D43D3A3FBCAC6C5F329A389F1EF68579F5EC09525289AE67CAE2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:48.241{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2EC4B2D18989B5150EC0B34C3FDBE27,SHA256=9EF1AB7543E7B2C5CC71FFE08B91A992C6C12A2C644446EC32623A17768634FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:49.923{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CAAB359F563AD1D21B688FDBDD6A781,SHA256=BAA674C782AC14DC0C80B039E05E296C28C3EA78ED245A60DAF27BD73F639E48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:49.935{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78BFDC414E2C15F8951A34B3AC3C5ED1,SHA256=EF531B67695805536CC552EAB976FAF99877ED97BC97008D5E6E91FFD01A9CC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:46.018{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-37010-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001046135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:49.389{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B91CBE67596BD0B1969F23D5B3320412,SHA256=F9715A012CD869E39788745D09EBBCF44B1F7385C8C03C533753DD5EA1A06CCF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:47.100{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61872-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001046133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:46.593{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63156-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:50.942{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E69710FEDE2783ECC4D8379B248EE9A,SHA256=DA6856086CD237068921B66A2F5FC219EA1FBBD5E66D08827CF3B8EC7AD7150B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:50.951{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4255A5564C1CA69EC0957AD95DF05126,SHA256=3F77A70CBFF781FAF4DCE03645999D42C6A8A5640F0F9F5D6E99B05F230F4A5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:50.743{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=887F30EEA1634C6783485C48E6EF07A4,SHA256=E2DDB12F12A1C2EA529A7AE7B2F97E1BAFF9C6D26C545B667DF112DA882EEFDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:50.592{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DB5443DF918F293CE0C7F985BFF5D17,SHA256=040E5F0D7652A1250EB100697D194103248B72AB9660CE68E8E13625F0744B5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:51.957{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C95F63A659BE0C014188B44C88A2D034,SHA256=F3DE485FCE3F744A80A0DD6CDFA9AA9639DF19ED15CCC021BA0E2BE134000B1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:49.079{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-63396-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000974828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:47.538{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62916-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001046142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:52.987{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F6DC324517A045B1F8CA467BA5351F,SHA256=D5B2D1742B07FDADC0EAFBB5AB9233FAB8D2E709C78E36041E914E9DD8BAAC98,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:49.833{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65493-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000974830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:52.826{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4378E679507E33B8C6E447F8E227BA0,SHA256=91BBFDC4D63072B1374D37A73DC136436F388AAA3106F57D4D50407512EBBC64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:52.076{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA995EF0FD2747A8C17DD918C3BF8E74,SHA256=DF0439C58280A680E183E2EDBDE9E37B8A08382EEB4BAFD70CF9296F8D491DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:53.248{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14BA8E74475B52F9C2D655C0A83C588B,SHA256=9F7DF257726558E4671F367FE07FB92E2622328C58E241B47663D6FC9CEE726D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:51.866{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49262-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:51.738{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-17582-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:54.654{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05B9C04B3F208FCAD63B579B65A30893,SHA256=53384C059BBF777905766C2920D741BB2C5057CFF6D85FD405DED5E6F098343E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:54.263{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74077862429CF7A963C7BA092EDD62F6,SHA256=DD54232213B42B6109C8A24D5299CAEA9B8BE64B8220FE0E728C43E7716F6987,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:54.874{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:54.825{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-86A2-6151-AC79-00000000FC01}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:54.822{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:54.822{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:54.821{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:54.821{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:54.821{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-86A2-6151-AC79-00000000FC01}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:54.805{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-86A2-6151-AC79-00000000FC01}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:54.793{5EBD8912-86A2-6151-AC79-00000000FC01}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001046155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:54.792{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:54.690{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:54.543{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:54.290{5EBD8912-86A2-6151-AB79-00000000FC01}60045908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:54.105{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-86A2-6151-AB79-00000000FC01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:54.105{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:54.105{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:54.105{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-86A2-6151-AB79-00000000FC01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:54.105{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:54.105{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:54.105{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-86A2-6151-AB79-00000000FC01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:54.091{5EBD8912-86A2-6151-AB79-00000000FC01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:54.005{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9918395BEFC43C7AB2A0E67F5395D4F6,SHA256=0E94ACEF2CC532C5509989814FE0AD2D8B0B9A7124D4C69E017B3C0C8F225790,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:50.732{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59172-false10.0.1.12-8000- 354300x8000000000000000974833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:50.626{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-51086-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:49.863{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-6290-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:55.279{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3011A8D5692895B455F111D5413857EF,SHA256=095714084237CB7F2FD9BE4C0DF80076AA61A933B856645A217BD5B40EC224F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:55.689{5EBD8912-86A3-6151-AD79-00000000FC01}45046000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:55.505{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-86A3-6151-AD79-00000000FC01}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:55.505{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:55.505{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:55.505{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:55.505{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:55.505{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-86A3-6151-AD79-00000000FC01}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:55.505{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-86A3-6151-AD79-00000000FC01}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:55.490{5EBD8912-86A3-6151-AD79-00000000FC01}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001046167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:55.105{5EBD8912-86A2-6151-AC79-00000000FC01}50967056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:55.089{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6EA4C7371BEB5EA16554C2503889665,SHA256=2EE26354147EB322C79451F98F0F64DB3A239671204BB2A10F13615BFBAF1999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:55.027{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9856C49B92CC5C912AD8D393F9F83A2F,SHA256=326047712E0EE853932AFF6F6515B8ACD78B9793CBD092300013F4B4851E3DA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:56.529{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BF967D7A2D31B6CE405D1F6CDBF40C9,SHA256=D714B57A08CFC286EA479E3A5D8C8B93443C16A8DC78FB28B352296A383E7B0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:56.279{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=616C036EF68E780FE1DEF32241B6ED3A,SHA256=0A2D3BA48835191CC98E5445872274F074C35281E61C37755EB0992A36AEECBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:56.542{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51A5B83D41A329BA4094D044546F2E31,SHA256=65446AC74C6E710C8BF5C3CF453111BF8743BDC29257A21C12E4CF5F2AB9123D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:56.189{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-86A4-6151-AE79-00000000FC01}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:56.189{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:56.189{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:56.189{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:56.189{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:56.189{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-86A4-6151-AE79-00000000FC01}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:56.189{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-86A4-6151-AE79-00000000FC01}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:56.174{5EBD8912-86A4-6151-AE79-00000000FC01}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:56.042{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41EC2C53E67BD301961208AF302BEDA6,SHA256=29D978F8F43528CE9E68D9F9868A96274CE08739A34DA78687FA443362E35503,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:52.956{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-53809-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:57.295{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FAB4BBAD3C4A1884409B2F1CB137986,SHA256=3DD3BD3C7D1060BB42CD7B7F18902CEB10D365C11256A9403A4BC4BA27D7EE73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:57.804{5EBD8912-7F2D-614D-0B00-00000000FC01}6244740C:\Windows\system32\lsass.exe{5EBD8912-7F11-614D-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001046188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:55.347{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50728-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:57.057{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1C326EFC62382E1B23315BCCCCD9FAF,SHA256=631E1760D1603CD914F06DAC179F52EBEB9EDF7186976C9A11CC0905F53BEAF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:53.588{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-27585-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:58.310{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B57404DA7A6FFDBD04CD697EE1DDBB66,SHA256=44AF61231EF0904FB567A192DC70C54D83E268AED0212EB75834A73F4B4AE79F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:58.817{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:58.816{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:58.779{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:58.779{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:58.716{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEFD756CE8CD54D6E371CA333044EE15,SHA256=9BD1D6CD69D2DD182AFEE70CB6C3D0F0B5F02AF9E6FB4A52361B0185F313A6DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:58.406{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:58.406{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:58.406{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:58.400{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:58.400{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001046191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:55.833{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65494-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:58.058{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25211F2280E9D81FDD865025F211332D,SHA256=E88131E86C6E58D20F7B75EDBD47B09A24C069B12E8D8068CF07918218E4CD47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:59.466{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6BACAD62A9E14E1DA327AE6E6818CA4,SHA256=1304F6FB3D878F1BDCDA0382BD96232C66FA2CB60E5ABFAA8E4853659FA0939A,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001046218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:58.394{5EBD8912-7B3A-6151-3A78-00000000FC01}7120www-google-analytics.l.google.com02a00:1450:4001:82b::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001046217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:58.336{5EBD8912-7B3A-6151-3A78-00000000FC01}7120gblobscdn.gitbook.com0104.18.9.111;104.18.8.111;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001046216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:59.528{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:59.528{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001046214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:58.033{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65500-false104.18.8.111-443https 354300x80000000000000001046213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:58.018{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58338- 354300x80000000000000001046212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:57.504{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65499-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001046211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:57.504{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65499-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001046210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:57.500{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65498-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001046209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:57.500{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65498-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001046208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:57.499{5EBD8912-7F30-614D-0D00-00000000FC01}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65497-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001046207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:57.499{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65497-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001046206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:57.391{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local65496-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001046205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:57.390{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65496-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001046204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:57.383{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65495-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001046203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:57.383{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65495-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 23542300x80000000000000001046202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:59.095{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41BCCB2D0DD780C51153F6419D486C2B,SHA256=A48ACE42CD65AD19B3B746594B84614291A57D68EE2E7362631E2013654F96E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:55.889{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59173-false10.0.1.12-8000- 23542300x8000000000000000974850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:00.591{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDA89005B2529C6E795C41085098A5B5,SHA256=5FED9098C7C696C16605D23FF0346B98E80FA653B798B19EC58F28F337F403F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:00.551{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:00.551{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:00.525{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:00.524{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001046224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:58.084{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65501-false104.18.9.111-443https 354300x80000000000000001046223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:58.082{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58872- 354300x80000000000000001046222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:58.081{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57053- 354300x80000000000000001046221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:58.079{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51215- 354300x80000000000000001046220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:53:58.066{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65347- 23542300x80000000000000001046219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:00.124{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020AD6BA854E483387856420FFC7009D,SHA256=DA2AFB0303B3807AD278F604E13723207086B0B9C4DD2751FA9A48F353FCBCCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:56.981{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52333-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:53:56.917{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-39303-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:01.654{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=792CB8BB1FF25349BE175549D0DD9A5A,SHA256=38C7E2011A3664EA2DB2C9C8B4BB705E0CFCC208B90429697F6D81E8F9EBB454,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:01.765{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:01.765{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:01.392{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:01.392{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:01.137{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF58E00142E2DAAEF2603100A78BCE93,SHA256=CC3649D6CB38CA9ADD7BB42B2F65AF67985FAE1426AFFC081450800B42FEBA9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:00.998{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2296F5BA0576013109951FC83474841,SHA256=612357CF55DE031E54C85EAC6D6D733F2D79F93E1F897388C0C3DA4C83F3C03F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:02.794{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C71556467BEB004D50F68B81A943F1,SHA256=8497D076F6EAB95F0ADD28CA4F5CDA459730DDA10AB2C9E5DF4F7BDF6BF5E9B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:02.412{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:02.412{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:02.209{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF9064AB558E930DAF37494DF27DD5C,SHA256=A5E5397885F857C60DFC4DD51D209B55F224D338288E245B8892AB54D34FA51B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:03.857{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA4AD72BD1573B2891E5DF7AE0A3F2C9,SHA256=BFBFF7D22925A1FE6C8107FD113810837E135BA274AE124898563F844DC3FB12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:03.397{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-walMD5=E526D4D6C4A7620DD954E5236AE856D1,SHA256=464BAE59DCEDB96555B618EE7CDA4EDBFC4ED3244FF2101E9AF4779488F93498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:03.397{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-shmMD5=9AAD8F39604F7DF258EE78237B8E628B,SHA256=CFEF7534E1E02E5EBD70A05568D1930055D2AF79C400CFBF08A8A0ABD99DD908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:03.381{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io\ls\data.sqlite-journalMD5=93D349F1A7D868A825FCFB74E7781D8F,SHA256=320A63E16BA6556AF526140A15E050D69574B859D9EFCA55D973E68A427E912E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:03.366{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io\ls\usageMD5=D13120FD3588383D179427E60E3CD802,SHA256=52D12AB0A3FEFB8128D589A9001C57430F3DD258A41F2F45D4A58801D7342F4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:03.213{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E25EDF9A286D28CA04FEAEB1B9EE9488,SHA256=440C82E35675FEC0C47B890E2C9F3D0B0C231651AA0568BC79876652C1ED8298,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:00.904{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65502-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:04.651{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4290MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:04.232{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC72243593991F6207BE6B797B806623,SHA256=5D6CF304D9DA6E8F0585767972FAA78337B9EA973F6E9B956520A3F03C8D9AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:04.325{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F25E2FF33AE13776CEAE14C435667535,SHA256=69390BC9194DC85FE4A62363C8EAB03598241F1A4016F2ACA267A56D7CE9CD5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:00.970{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-9949-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001046248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:05.668{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4291MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:05.612{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC247C53BFC606BEFCAF500B78561C32,SHA256=A573C820A7AE061360DFBDE2F2D0EFFB7BDC063692BE52847CFA202C5BA472A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:05.612{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AE410C3F7987D2BC2875EC9D559C87C,SHA256=D5FB6AEF7431503FD63987233BF8339FE5EFE069CD00849869EC6E0D53A9A6F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:05.249{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=097815E59F5B4AECB84B689018DEC1B7,SHA256=921B6478575941088A5826135C8A897EDA56EBEAA575227FCC6DC3AD7F3EBD7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:01.780{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59174-false10.0.1.12-8000- 23542300x8000000000000000974857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:05.044{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEEECC692019DCB5320E79078E692576,SHA256=3E07B6AC5BEA930604211C19FC1ABBB8267C64085A91E2E3CB8C6B9889F8E554,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:03.975{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55887-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:06.280{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7980C0F657FDBE2BF6A951F6A6030E2B,SHA256=57C4A05A459CEF7B517B02E3E4EA86FDF7C1B6D8DD78E5B65501B67A3DA175BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:03.411{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-24872-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:03.007{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55976-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:06.060{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71347A75F3E80B61CED92433C98B3F9C,SHA256=AB4721EEC5C504A0A6534B12F5497F5FBE5DD48803EE282CFA5BD3D9C95E9999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:05.997{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4529B81BEB795312334A025188BED9A,SHA256=202F68A63A2A4864E466487E19B0E9AAA5DAA92BD8EA09EB6E2241918757D523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:07.613{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC247C53BFC606BEFCAF500B78561C32,SHA256=A573C820A7AE061360DFBDE2F2D0EFFB7BDC063692BE52847CFA202C5BA472A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:05.907{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65503-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001046252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:05.053{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56635-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:07.281{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=998ADA2EB732CFA4CCFC41739DF009A1,SHA256=B2AE389EC5815DAF0EC46AEE1518E4964D76A7F3853555CE6DE717F13C3614D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:07.263{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F52C6A849257A3A39F2FA9F2FDEC8E,SHA256=C9E38478ADFFFAB97D2F24BC5ADA7B9330B556FF476E900546AFAC1228E33479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:08.388{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5076CEFB1B373A7F583179732BD98A6F,SHA256=0194BDCE69CEA1A97726D3FCA9151725CAA2DE8FD9F5F87D52EBBCD7DA917330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:08.283{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D8B16DF00164855FEC954066F258190,SHA256=9CD7E2D706A3228D000BA8D65093E963E3B59CECD3FFC4F7F9DFB81D9B6A9016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:09.435{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35C7B3B198FAB1C3DAE27240D243AA78,SHA256=B2BADD173DB3667D806EC12FF165E0A2511F5C77D7C530B26EDEB585E7954C6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:09.774{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001046258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:06.452{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63301-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:09.559{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7E5B25B1894DC79580C6F8F6153401B,SHA256=77F8F6F9712C9FE6A97F8AC98BDF05E8D7D094B536A901C4DEB68CAA94BAEA4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:09.290{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0D0D56065F0F1BB800BE36D50EAE88C,SHA256=2B2B5F8BAE95F5574A958A616EE0269E6283F128A08B58223BB20BC6A1C1CD35,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:06.787{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-39822-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:10.450{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E834081C1078B665985A54BCD24F4A2A,SHA256=C0804C9E6789FC3224C5C651B86D0A73C3F4FD9D8C14B2CD0E23EE8F9701FAAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:10.308{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7930BECA8CC8DCA51B3686E79343D68B,SHA256=B5F621F2D0F52760A4D38A4F74F4C3CC448D54F318A698CEBF1E9E93F3E270EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:11.529{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D693427743C87C730349588B8E83DE6,SHA256=ED33AE2C63D3E7EFA31A4A0099AA75862423DB6E91BDE2E8EFA4928F1124BE70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:11.529{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD314D8CDA2E5E5B49AC1B3F5B360618,SHA256=3899566F50D05C75670CA15DD11E4D1AFB269B0A3A12C124D4BED32302F4405D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:07.685{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59175-false10.0.1.12-8000- 23542300x8000000000000000974868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:11.466{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=177C263DAC5C31F9BB3B4BC8D167AB36,SHA256=7F48733434AA6FD785D59B3F076D169DEAD05C7EDE4A7755CA5CD2082325C125,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:11.692{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:11.692{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:11.692{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:11.692{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:11.692{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:11.677{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:11.677{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:11.677{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:11.677{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-8641-6151-9F79-00000000FC01}1492C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:11.308{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A767DE7843176494E62A1EE405A2B90,SHA256=D302003502ADB99D3A41B480CA5FD30DD540FE408A4B1087575D8D43187622AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:12.482{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F47C215D3FEA3F61C27F820222BEBF7C,SHA256=5EAA3A1142420B525B098D28EFC79B164A6E5F6ECE2502581FAC5047583E48BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:12.794{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:12.794{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:12.794{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:12.794{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:12.794{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:12.794{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:12.794{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001046273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:10.931{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65504-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:12.310{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A06827D18DBADE228B25200C673BEEE,SHA256=8366AAC553E880849E49D96BF0736AEB3967CE35C7AD2799BF84DDAEFE44FE94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:12.295{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 23542300x80000000000000001046281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:13.347{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CED1E87614FF641EE07B567ED71B2F5,SHA256=0E71FA99119D85AF68AB08721D9263E846A571251E876CF2FAA10A9AB3B52BFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:13.497{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=256726988B5E3527358CE31C99355928,SHA256=9772384ACFA47F39BFFC4B556F6B8E529A96BF1803A81E4FD99C00A338D31AFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:13.294{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:14.379{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EB3EF32765BC13DBA7307A2E3290049,SHA256=A9789D7CA0B4C2E9D8AA5AD9E0C38B27879129D90DF6C4BB52009CBC4DF7437F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:11.920{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59176-false10.0.1.12-8089- 354300x8000000000000000974878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:11.726{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61277-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:10.674{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-6639-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:14.513{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=510E0C74ABC463F27BBAB28F9863F0F3,SHA256=0C6E086C98AE1C599782494DB46047F96A2C10380D5CB66E77985AAAA777255F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:14.013{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D693427743C87C730349588B8E83DE6,SHA256=ED33AE2C63D3E7EFA31A4A0099AA75862423DB6E91BDE2E8EFA4928F1124BE70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:15.393{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=386DF5F8AEFD429CB0950DF1F1507122,SHA256=C7B8DBB938EE855D21F07331642B5F2BBBDF04686671B57CE1CFF6523D3C2E38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:15.607{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4698AAE097DF4454772ADB942C18C166,SHA256=4EF5A5516CE6D2952086025ACF260412C9EA77CB26C5F5D6FE4D1B1D21BCAEAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:15.528{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=196301432F88FC05B586075FD6AC778D,SHA256=882E3EFBC844FC28174C47837FF3E05C5AC372F0BC809C59E6C0CEDCDCE2E743,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:16.747{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDC64EC6749832CF930088902C974F26,SHA256=653C155AF3E60B8BEF8364F45595D5C2861B0DF8449C6CA90D63662C2DEBC63C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:12.946{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54097-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001046287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:16.546{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001046286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:16.546{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:16.546{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFfbe22a9.TMPMD5=DE3A0FA109221B18DF49AC1FFC6FE4B1,SHA256=ED397D4D656C29DB004817AED882B128D4456823F423CD84E3D3C39C431C5AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:16.424{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F8A68D78EF16C0C1F74BAA445761883,SHA256=DCC89CEBA7A475F2740056570CA73C7B2269466AD61E6544E6BA2E5FABEEA333,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:14.394{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-22541-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:13.685{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59177-false10.0.1.12-8000- 23542300x8000000000000000974884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:17.763{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8001F3E7270D8649C50F488C1290C6EF,SHA256=A304BF1C48FBCD0BDD85416F01982CF2E2E760C818BCE2CBC4DC99A441340D1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:15.854{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65505-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001046291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:15.854{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65505-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001046290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:17.424{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B7BB6A23AA88DA259C4AF8FD30B52A0,SHA256=910A36D4D57132961B1C0002DCF2D1AA55C235DB8A38EF4458CAF4BCE8A91EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:17.178{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D858FA6556BD5305C226F29C0FE0F550,SHA256=E77A94AE0142CADCA46E269DC4B5809EA0B2FD64F3B6D857C64C94EADBF887EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:17.178{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADEEBEB2A96D7C051FFFCE73A97BA1E4,SHA256=69A5AC8FBCA1DB5B36CCB8EB0E222E56AAC0274BE9A18618945E24B3247CD84A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:16.832{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65506-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:18.447{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8085F64FBD89E40B2A15C4C6962E3BF2,SHA256=31B930CF9AFAF937FA888F40F74C9CE8CB328EE4C06525B2CAC1C298963E4F18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:16.025{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com47179-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:15.381{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63576-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:18.716{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2147D3E5560C1253915E97ACC00B8EA7,SHA256=727407158C03109BBB32F8D3C5B33299D66E61FE5C0DCD0CFC293E7AC54835F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:19.880{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D858FA6556BD5305C226F29C0FE0F550,SHA256=E77A94AE0142CADCA46E269DC4B5809EA0B2FD64F3B6D857C64C94EADBF887EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:17.932{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com48922-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:19.512{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D98B3C120FFCADAABCEFDB40984979C,SHA256=6A0B63FFA5DDB9C20A9E294204EE0F344CE25473B8A8F141112FA35C55FFF2C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:18.997{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C374163DB1F0653730850FCAE2CDB067,SHA256=485A8D220983CACCC3ADF3952B87B3E1E4C8A95866A19CE16EB066DBEEF15C0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:19.380{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:19.380{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001046296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 08:54:19.380{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exeHKCR\txtfile\shell\open\command\(Default)C:\Temp\evil.bat 10341000x80000000000000001046295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:19.380{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000974891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:20.232{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F2817156703D2942AA7E28A39162A5,SHA256=621F28301F086F757BE64A7A852720E1221C401EF635AE977F36939B13BF2774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:20.545{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98189D058D32945DA1048B942641857,SHA256=7B3ABAA3AF287406DB724644CCB8B03156D456940F658D3F223F1C72F0B55AEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:21.563{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8543F92A2FD08C3DC9051F73D5620F5C,SHA256=DBE24BB2913F192673BB1BA20C892BD9AA91087F35607F07877074E6217FD923,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:18.873{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59178-false10.0.1.12-8000- 23542300x8000000000000000974892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:21.466{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39D90657257E2D49EBBA6A2C4C1CF604,SHA256=202DBB1E0207E2E234D5E3E395CD0314C9AE2E18085E4C242AE614F1560CCA0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:22.579{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=220896D48A6017C700710E5BA8A8817D,SHA256=62378DDD0B94DB492B5F28217FB039B69F7426BD8FA644AA2FA463576E6D83B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:19.672{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de51651-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:19.040{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-51161-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:22.577{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=257B8D64C4A14D653D82691A31C2C92D,SHA256=77157536B43B28886E422102B177D54E2592776716920B84E08BFDB2DC107F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:22.233{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EEFE4A682A3CB4C1B21EAC491493EDD,SHA256=75CBE811FB0F8296642E57232DE702694694470DB3D41C889CABCEAF6EC9AE6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:23.609{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70E7E729A65C4D84AE4580B2EBD2AFE2,SHA256=E653562392755C9FA0F012721F25B4A2DA8794C5086FB816A257F5CF0E839252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:23.733{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7D782E59AA082C38E4074CD59F2133E,SHA256=085AD06C7E8C48F9F1D6D60E5B56AD6C54083B5E87D0D46DECF899E2CB1AB8A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:23.592{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=966B3BFAA4DDED542730437567642D3E,SHA256=CE2E52B20E1A07060BDDFF29D512438542F64CD5A8E7A0F7B7B63F7DF7015EF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:21.955{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65507-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000974900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:24.608{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A098F5B72688D62AECFE84874BE3DCF5,SHA256=EEC12C4E50700CC93BF169320F49E22313EA351AE1845435456369477B2D8E9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:24.325{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:24.325{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:24.325{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:24.325{5EBD8912-79C0-6151-E577-00000000FC01}42964848C:\Windows\Explorer.EXE{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\Windows.UI.Immersive.dll+1d16|C:\Windows\System32\Windows.UI.Immersive.dll+2362|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:24.325{5EBD8912-79C0-6151-E577-00000000FC01}42964848C:\Windows\Explorer.EXE{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\Windows.UI.Immersive.dll+2f6d|C:\Windows\System32\Windows.UI.Immersive.dll+2213|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001046330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:24.309{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:24.309{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:24.309{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:24.309{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:24.309{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:24.309{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:24.309{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:24.293{5EBD8912-7F30-614D-1100-00000000FC01}4041624C:\Windows\system32\svchost.exe{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:24.293{5EBD8912-7F30-614D-1100-00000000FC01}4041624C:\Windows\system32\svchost.exe{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:24.293{5EBD8912-7F30-614D-1100-00000000FC01}4041624C:\Windows\system32\svchost.exe{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:24.293{5EBD8912-79BF-6151-DE77-00000000FC01}43084552C:\Windows\system32\taskhostw.exe{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:24.293{5EBD8912-79BF-6151-DE77-00000000FC01}43084552C:\Windows\system32\taskhostw.exe{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001046318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 08:54:24.241{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids\txtfileBinary Data 10341000x80000000000000001046317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:24.146{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:24.146{5EBD8912-7F30-614D-1600-00000000FC01}12681196C:\Windows\system32\svchost.exe{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:24.146{5EBD8912-7F30-614D-1600-00000000FC01}12681316C:\Windows\system32\svchost.exe{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:24.125{5EBD8912-79BB-6151-D077-00000000FC01}46124936C:\Windows\system32\csrss.exe{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:24.125{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:24.125{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:24.125{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:24.125{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:24.125{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:24.125{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:24.095{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\System32\OpenWith.exe10.0.14393.4169 (rs1_release.210107-1130)Pick an appMicrosoft® Windows® Operating SystemMicrosoft CorporationOpenWith.exeC:\Windows\system32\OpenWith.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-79BE-6151-7ED6-4A0400000000}0x44ad67e2HighMD5=196A5E5EF42F8CADACD75FAF17E18689,SHA256=8E9759AE4C7644BC975A2A33BC9E4D17C39B4D6DAAE19F7401181C05DC9D1B90,IMPHASH=3DC53F3258E7C5C7131E7C13F7BD06C9{5EBD8912-7F2F-614D-0C00-00000000FC01}828C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 13241300x80000000000000001046306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 08:54:24.078{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids\txtfileBinary Data 354300x80000000000000001046341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:23.448{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61321-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:25.942{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=986338BDCAA7720A47B1B25FB0599557,SHA256=4533CCC3B16B4C57252C9A6235040CBF668A61F8515C2E89746B9A58D311FB17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:25.623{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65879AF68D9886DD88521AE47E39CE5F,SHA256=4B4C19746B4DA936E15D35BA7B87DB08FADABD40C5D04B9892E4D45E42B55F30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:25.061{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DC3FD83CA24BC43A236CC7F756BB81A,SHA256=6C3C4A8453D31E240864B93493618F8004D381E7339D976D5877E0DA5D3C709A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:25.061{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77599818A2C7917EE68109A4F3712E6E,SHA256=24DD7684A0BBAF51B5B05530466ECFB37F8A65ECCF16787BD3B63738E7FB73FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:25.024{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25388C3E9DC784FBFBE6E79098E54AA7,SHA256=76F41855D20B8CDF3D002F6BA5D643224F6D7E4AC77A2E9C5F10CD79299C4FE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:26.959{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02AA931718562F67D460C61604B560B7,SHA256=E56FDE572C4188C81357D81FDE22699E61DABDC7253A921CA36934B1A074D68A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000974932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:26.983{69CF5F33-86C2-6151-4A79-00000000FD01}36362812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:26.764{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-86C2-6151-4A79-00000000FD01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:26.764{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-86C2-6151-4A79-00000000FD01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:26.764{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:26.764{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:26.764{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:26.764{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:26.764{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:26.764{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:26.764{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:26.764{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:26.764{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:26.764{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-86C2-6151-4A79-00000000FD01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:26.734{69CF5F33-86C2-6151-4A79-00000000FD01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000974918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:26.639{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB7A0C7391F91F75E6D2960A05C175C1,SHA256=D468E3558AE4D27827FBEB10EB9088368F800AC30BD97E290B2593366832C8E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000974917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:26.358{69CF5F33-86C2-6151-4979-00000000FD01}5081000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000974916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:22.857{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-18893-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:26.108{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DF7FF4502A8A8E07CA7A44A483A9CF2,SHA256=57018C17934925690440B9F49A156153E36F3FB7D95701A97F5B8333A98634F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000974914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:26.076{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-86C2-6151-4979-00000000FD01}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:26.076{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:26.076{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:26.076{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:26.076{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:26.076{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:26.076{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:26.076{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:26.076{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:26.076{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:26.076{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-86C2-6151-4979-00000000FD01}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:26.076{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-86C2-6151-4979-00000000FD01}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:26.062{69CF5F33-86C2-6151-4979-00000000FD01}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:27.974{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDA6359B89B036807AD1E275AB6B9EA,SHA256=D5ABCD774BDC08175673CEF39FAC0EFF0D857EB0A658EC33EEB617A9D05A1589,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000974960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:27.983{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-86C3-6151-4C79-00000000FD01}576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:27.983{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-86C3-6151-4C79-00000000FD01}576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:27.983{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-86C3-6151-4C79-00000000FD01}576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:27.970{69CF5F33-86C3-6151-4C79-00000000FD01}576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000974947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:27.967{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ABC3B93362A08CDC4D710DDF674634D,SHA256=E0BBF7FF4667282CE2FA177BD2C38CB6A248205868D03619F00EF3C63B1EA623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:27.967{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E199E3FEDD66895C982EDC6D53234A16,SHA256=2C5C5B8EED2F6F24EA6B986EF2C45AB90637EA226E797C05870A0DD326B70CA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:27.759{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DC3FD83CA24BC43A236CC7F756BB81A,SHA256=6C3C4A8453D31E240864B93493618F8004D381E7339D976D5877E0DA5D3C709A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000974945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:27.451{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-86C3-6151-4B79-00000000FD01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:27.451{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:27.451{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:27.451{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:27.451{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:27.451{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:27.451{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:27.451{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:27.451{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:27.451{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:27.451{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-86C3-6151-4B79-00000000FD01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:27.451{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-86C3-6151-4B79-00000000FD01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:27.437{69CF5F33-86C3-6151-4B79-00000000FD01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000974977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:28.983{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE425D0D08027B5D2ABCF9859490F08D,SHA256=F3D3F4581749DBA1CE45899389B85F054A04F6B9732AC728BCFDD52AB542937E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000974976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:28.670{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-86C4-6151-4D79-00000000FD01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:28.670{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:28.670{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:28.670{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:28.670{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:28.670{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:28.670{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:28.670{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:28.670{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:28.670{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:28.670{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-86C4-6151-4D79-00000000FD01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:28.670{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-86C4-6151-4D79-00000000FD01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:28.655{69CF5F33-86C4-6151-4D79-00000000FD01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000974963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:25.200{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-32074-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000974962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:24.875{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59179-false10.0.1.12-8000- 10341000x8000000000000000974961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:28.233{69CF5F33-86C3-6151-4C79-00000000FD01}5763204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:29.561{69CF5F33-86C5-6151-4E79-00000000FD01}38401916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:29.358{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-86C5-6151-4E79-00000000FD01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:29.358{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:29.358{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:29.358{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:29.358{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:29.358{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:29.358{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:29.358{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:29.358{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:29.358{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:29.358{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-86C5-6151-4E79-00000000FD01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000974980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:29.342{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-86C5-6151-4E79-00000000FD01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000974979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:29.343{69CF5F33-86C5-6151-4E79-00000000FD01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001046347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:26.128{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63293-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000974978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:29.108{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29E30E760FF52D5C898672077EE82676,SHA256=BC57557068B29289A38883B29C2E8F6FA15F2BDAE931018F5FA5C53036D5B31C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:25.974{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52862-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:29.005{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=984F198384C0FFF300D911EDFF56BDB6,SHA256=4438FCC0F3A8950240625E6F4E3CCF88BAF2120E4C4EC24D35E184B80CBE8F84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:30.389{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27E38B023A1EA3BD14EE9ADB8B09807E,SHA256=689C4ECD0ED8BCF6D8444D3975808A386357FDDEBDA52BC7C5742693100928DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000974994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:27.696{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-46720-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000974993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:30.108{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E2B241A7AF56ACC63CC191B77A20A89,SHA256=2AE7078288F3826FAF3F72FBF00B2DA0F3C65A17D2E10E8374857781447C01D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:27.881{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65508-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:30.020{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E20A436243E68CC03A56FCA838C0A0E,SHA256=AE063812929D09914EB9478F2607F51162A8D840BA7C546D3C907CE157731E7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:31.342{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00457E204409F067841C11BB83B87E5A,SHA256=F917FA61E701D870C9E7F7F4C5DCAAF1FEAC4FAE3F42ADD44023751F8CFE6C85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:31.957{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72693D0320707ABD5F9244B90D8F7F92,SHA256=26FF9E187A9D744E26DE55152D349846C05B7F63A1E95E2312C518BE9A056DC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:31.038{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A168C571F950E56079C35DC24B5732,SHA256=7F996348C45DE30AF2B6D635F49B08F2C749A3ECB8660D82E5B60615C5B449BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:32.561{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2236348AF31384E3A0EE850BEE1EA7AD,SHA256=7E0561CE146E34D9ECC17310911F7E0A07A7BCB6FF6460969909DC174D065ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:32.420{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=86CB569E4E7B0F91CAF326EC5981DDE0,SHA256=38478498B4EC5BA0F2133539D75B2B6655802BFE2D5C8E71BCD59C09BBDE2B0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000974997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:32.389{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1171AE348FACBAB272FF79257E9D38CB,SHA256=AFA5C6AF959DC13C972910BAA3DB9ACB1A1E929854FEAFB1CF8AF46F8406519D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:30.137{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55533-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:32.057{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A91218A58F47750CA6FB73D8A8365DEF,SHA256=DBC1EE69CFEC119340B5094B5FD396961B190E6259C0387D9944A92C3AF2B209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:33.701{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1914B4FB099F95401F6339694436F76C,SHA256=66BCE7D929D88487CA4B8E6FFE0228FA69E433E0B11FD94B5C8AE056466ADDF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:29.850{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50930-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:33.420{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098E06C6F69BA11F4F2258699C8FF18C,SHA256=68D55B6D923503029736963890166D85A578BFD2DA4E986D11F93862B7348863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:33.139{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66751B3B7E45A15F83BB6F2785AB2FF9,SHA256=DE747E1796B3067BA512C931E28670022555059B96893AC193C36071C9BAE5EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:34.858{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D88287EFB6105F596D6D8086DEB32390,SHA256=066268DEC1EECD34F94F5AE5F7497D81834480D18D9EDC3D9F4E94F21283B770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:34.654{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C232A1EDD971B1FE31277D777E706398,SHA256=3613E412946D31DC93C09B4BDE4B165920C39FA618185EE9A83A7263228C5466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:34.158{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B9450A660B1A9245C0FAB86238D9D7,SHA256=1F1EB339FD8C203CA48A003CC89D06AC36D56D5DF2D4F74B7B074E41F3B5F697,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:30.827{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59180-false10.0.1.12-8000- 354300x8000000000000000975003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:30.347{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-2626-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:35.717{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E00D9C68EA58B8BECE08B189D59BF4F,SHA256=BA581A5B5D9F69F0F04D66CFE3264111A16C2B7367631B154559AF5EF33FD64C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.772{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F062B8B3693F82370A8E7CED88FAB707,SHA256=6E976529B19C762BC5209A66FAAAB77E2607818C5965F597985525E46BFC4D6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.740{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B279-00000000FC01}3344C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.740{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B279-00000000FC01}3344C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.740{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B279-00000000FC01}3344C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.740{5EBD8912-79BF-6151-DE77-00000000FC01}43084552C:\Windows\system32\taskhostw.exe{5EBD8912-86CB-6151-B279-00000000FC01}3344C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.737{5EBD8912-79BF-6151-DE77-00000000FC01}43084552C:\Windows\system32\taskhostw.exe{5EBD8912-86CB-6151-B279-00000000FC01}3344C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.719{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B279-00000000FC01}3344C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.719{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B279-00000000FC01}3344C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.719{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B279-00000000FC01}3344C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.719{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B279-00000000FC01}3344C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.719{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B279-00000000FC01}3344C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.719{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B279-00000000FC01}3344C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.719{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B279-00000000FC01}3344C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.719{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B279-00000000FC01}3344C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.703{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B379-00000000FC01}2116c:\windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.703{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B379-00000000FC01}2116c:\windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.703{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B379-00000000FC01}2116c:\windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.703{5EBD8912-79BF-6151-DE77-00000000FC01}43084552C:\Windows\system32\taskhostw.exe{5EBD8912-86CB-6151-B479-00000000FC01}5992C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.703{5EBD8912-79BF-6151-DE77-00000000FC01}43084552C:\Windows\system32\taskhostw.exe{5EBD8912-86CB-6151-B479-00000000FC01}5992C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.672{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B379-00000000FC01}2116c:\windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.672{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B379-00000000FC01}2116c:\windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.672{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B379-00000000FC01}2116c:\windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.672{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B379-00000000FC01}2116c:\windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.672{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B479-00000000FC01}5992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.672{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B479-00000000FC01}5992C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.672{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B479-00000000FC01}5992C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.672{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B479-00000000FC01}5992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.672{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-86CB-6151-B279-00000000FC01}3344C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.656{5EBD8912-7F30-614D-1600-00000000FC01}12681196C:\Windows\system32\svchost.exe{5EBD8912-86CB-6151-B479-00000000FC01}5992C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.656{5EBD8912-7F30-614D-1600-00000000FC01}12681316C:\Windows\system32\svchost.exe{5EBD8912-86CB-6151-B479-00000000FC01}5992C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.656{5EBD8912-86CB-6151-B479-00000000FC01}59924916C:\Windows\system32\conhost.exe{5EBD8912-86CB-6151-B379-00000000FC01}2116c:\windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.641{5EBD8912-7F30-614D-1600-00000000FC01}12681196C:\Windows\system32\svchost.exe{5EBD8912-86CB-6151-B279-00000000FC01}3344C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.641{5EBD8912-7F30-614D-1600-00000000FC01}12681316C:\Windows\system32\svchost.exe{5EBD8912-86CB-6151-B279-00000000FC01}3344C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.641{5EBD8912-79BB-6151-D077-00000000FC01}46124936C:\Windows\system32\csrss.exe{5EBD8912-86CB-6151-B479-00000000FC01}5992C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.641{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.641{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.641{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.641{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.640{5EBD8912-79BB-6151-D077-00000000FC01}46125756C:\Windows\system32\csrss.exe{5EBD8912-86CB-6151-B379-00000000FC01}2116c:\windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.640{5EBD8912-86CB-6151-B079-00000000FC01}11764248C:\Windows\system32\cmd.exe{5EBD8912-86CB-6151-B379-00000000FC01}2116c:\windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+1b13|C:\Windows\system32\cmd.exe+c9d2|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.640{5EBD8912-86CB-6151-B379-00000000FC01}2116C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exec:\windows\system32\cmd.exe C:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-79BE-6151-7ED6-4A0400000000}0x44ad67e2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-86CB-6151-B079-00000000FC01}1176C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\evil.bat" " 10341000x80000000000000001046406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.618{5EBD8912-79BB-6151-D077-00000000FC01}46124936C:\Windows\system32\csrss.exe{5EBD8912-86CB-6151-B279-00000000FC01}3344C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.618{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.618{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.618{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000975008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:32.404{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-53962-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000975007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:32.075{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-52012-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001046402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.618{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.618{5EBD8912-86CB-6151-B079-00000000FC01}11764248C:\Windows\system32\cmd.exe{5EBD8912-86CB-6151-B279-00000000FC01}3344C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+1b13|C:\Windows\system32\cmd.exe+c9d2|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.629{5EBD8912-86CB-6151-B279-00000000FC01}3344C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-79BE-6151-7ED6-4A0400000000}0x44ad67e2HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{5EBD8912-86CB-6151-B079-00000000FC01}1176C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\evil.bat" " 10341000x80000000000000001046399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.603{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B079-00000000FC01}1176C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.603{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B079-00000000FC01}1176C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.603{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B079-00000000FC01}1176C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.603{5EBD8912-79BF-6151-DE77-00000000FC01}43084552C:\Windows\system32\taskhostw.exe{5EBD8912-86CB-6151-B179-00000000FC01}4776C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.603{5EBD8912-79BF-6151-DE77-00000000FC01}43084552C:\Windows\system32\taskhostw.exe{5EBD8912-86CB-6151-B179-00000000FC01}4776C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.603{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B079-00000000FC01}1176C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.603{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B079-00000000FC01}1176C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.603{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B079-00000000FC01}1176C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.587{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B079-00000000FC01}1176C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.587{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B179-00000000FC01}4776C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.587{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B179-00000000FC01}4776C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.587{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B179-00000000FC01}4776C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.587{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B179-00000000FC01}4776C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.572{5EBD8912-7F30-614D-1600-00000000FC01}12681196C:\Windows\system32\svchost.exe{5EBD8912-86CB-6151-B179-00000000FC01}4776C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.572{5EBD8912-7F30-614D-1600-00000000FC01}12681316C:\Windows\system32\svchost.exe{5EBD8912-86CB-6151-B179-00000000FC01}4776C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.572{5EBD8912-86CB-6151-B179-00000000FC01}47764840C:\Windows\system32\conhost.exe{5EBD8912-86CB-6151-B079-00000000FC01}1176C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.539{5EBD8912-79BB-6151-D077-00000000FC01}46125756C:\Windows\system32\csrss.exe{5EBD8912-86CB-6151-B179-00000000FC01}4776C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 13241300x80000000000000001046382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localInvDBSetValue2021-09-27 08:54:35.519{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\evil.batBinary Data 10341000x80000000000000001046381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.519{5EBD8912-7F30-614D-1000-00000000FC01}3804736C:\Windows\System32\svchost.exe{5EBD8912-86CB-6151-B079-00000000FC01}1176C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.519{5EBD8912-7F30-614D-1000-00000000FC01}3804736C:\Windows\System32\svchost.exe{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.503{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TwinUI.dll+1771e8|C:\Windows\System32\TwinUI.dll+3eefe|C:\Windows\System32\TwinUI.dll+fded|C:\Windows\System32\TwinUI.dll+fae5|C:\Windows\System32\TwinUI.dll+fd2c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x80000000000000001046378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.488{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.488{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.488{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.488{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.488{5EBD8912-79BB-6151-D077-00000000FC01}46124936C:\Windows\system32\csrss.exe{5EBD8912-86CB-6151-B079-00000000FC01}1176C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.488{5EBD8912-86C0-6151-AF79-00000000FC01}52327084C:\Windows\system32\OpenWith.exe{5EBD8912-86CB-6151-B079-00000000FC01}1176C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+2efb55|C:\Windows\System32\SHELL32.dll+2efa85|C:\Windows\system32\twinui.dll+395d89|C:\Windows\system32\twinui.dll+396847|C:\Windows\system32\twinui.dll+5672e6|C:\Windows\System32\DUI70.dll+31195|C:\Windows\System32\DUI70.dll+48c18|C:\Windows\System32\DUI70.dll+186cb 154100x80000000000000001046372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.498{5EBD8912-86CB-6151-B079-00000000FC01}1176C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Temp\evil.bat" "C:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-79BE-6151-7ED6-4A0400000000}0x44ad67e2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\System32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding 10341000x80000000000000001046371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.488{5EBD8912-7F2D-614D-0B00-00000000FC01}6244740C:\Windows\system32\lsass.exe{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.488{5EBD8912-7F2D-614D-0B00-00000000FC01}6244740C:\Windows\system32\lsass.exe{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001046369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 08:54:35.472{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids\txtfileBinary Data 13241300x80000000000000001046368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 08:54:35.456{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids\txtfileBinary Data 13241300x80000000000000001046367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 08:54:35.456{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids\txtfileBinary Data 13241300x80000000000000001046366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1042SetValue2021-09-27 08:54:35.456{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exeHKCR\Applications\evil.bat\shell\open\command\(Default)C:\Temp\evil.bat 10341000x80000000000000001046365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.456{5EBD8912-86C0-6151-AF79-00000000FC01}52327084C:\Windows\system32\OpenWith.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5340e|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\SHELL32.dll+2f452d|C:\Windows\System32\SHELL32.dll+2f05b9|C:\Windows\system32\twinui.dll+39b29c|C:\Windows\system32\twinui.dll+395cd5|C:\Windows\system32\twinui.dll+396847|C:\Windows\system32\twinui.dll+5672e6|C:\Windows\System32\DUI70.dll+31195|C:\Windows\System32\DUI70.dll+48c18|C:\Windows\System32\DUI70.dll+186cb|C:\Windows\System32\DUser.dll+b876|C:\Windows\System32\DUser.dll+b5b3|C:\Windows\System32\DUser.dll+b306|C:\Windows\System32\DUI70.dll+2e058|C:\Windows\System32\DUI70.dll+a31fc|C:\Windows\System32\DUI70.dll+a4bd6|C:\Windows\System32\DUI70.dll+a4e13|C:\Windows\System32\DUI70.dll+a3bc6|C:\Windows\System32\DUI70.dll+18762 10341000x80000000000000001046364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.456{5EBD8912-86C0-6151-AF79-00000000FC01}52327084C:\Windows\system32\OpenWith.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+53378|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\SHELL32.dll+2f452d|C:\Windows\System32\SHELL32.dll+2f05b9|C:\Windows\system32\twinui.dll+39b29c|C:\Windows\system32\twinui.dll+395cd5|C:\Windows\system32\twinui.dll+396847|C:\Windows\system32\twinui.dll+5672e6|C:\Windows\System32\DUI70.dll+31195|C:\Windows\System32\DUI70.dll+48c18|C:\Windows\System32\DUI70.dll+186cb|C:\Windows\System32\DUser.dll+b876|C:\Windows\System32\DUser.dll+b5b3|C:\Windows\System32\DUser.dll+b306|C:\Windows\System32\DUI70.dll+2e058|C:\Windows\System32\DUI70.dll+a31fc|C:\Windows\System32\DUI70.dll+a4bd6|C:\Windows\System32\DUI70.dll+a4e13|C:\Windows\System32\DUI70.dll+a3bc6|C:\Windows\System32\DUI70.dll+18762 10341000x80000000000000001046363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.456{5EBD8912-86C0-6151-AF79-00000000FC01}52327084C:\Windows\system32\OpenWith.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+5335a|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\SHELL32.dll+2f452d|C:\Windows\System32\SHELL32.dll+2f05b9|C:\Windows\system32\twinui.dll+39b29c|C:\Windows\system32\twinui.dll+395cd5|C:\Windows\system32\twinui.dll+396847|C:\Windows\system32\twinui.dll+5672e6|C:\Windows\System32\DUI70.dll+31195|C:\Windows\System32\DUI70.dll+48c18|C:\Windows\System32\DUI70.dll+186cb|C:\Windows\System32\DUser.dll+b876|C:\Windows\System32\DUser.dll+b5b3|C:\Windows\System32\DUser.dll+b306|C:\Windows\System32\DUI70.dll+2e058|C:\Windows\System32\DUI70.dll+a31fc 10341000x80000000000000001046362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.456{5EBD8912-86C0-6151-AF79-00000000FC01}52327084C:\Windows\system32\OpenWith.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+5335a|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\SHELL32.dll+2f452d|C:\Windows\System32\SHELL32.dll+2f05b9|C:\Windows\system32\twinui.dll+39b29c|C:\Windows\system32\twinui.dll+395cd5|C:\Windows\system32\twinui.dll+396847|C:\Windows\system32\twinui.dll+5672e6|C:\Windows\System32\DUI70.dll+31195|C:\Windows\System32\DUI70.dll+48c18|C:\Windows\System32\DUI70.dll+186cb|C:\Windows\System32\DUser.dll+b876|C:\Windows\System32\DUser.dll+b5b3|C:\Windows\System32\DUser.dll+b306|C:\Windows\System32\DUI70.dll+2e058|C:\Windows\System32\DUI70.dll+a31fc|C:\Windows\System32\DUI70.dll+a4bd6 10341000x80000000000000001046361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.456{5EBD8912-86C0-6151-AF79-00000000FC01}52327084C:\Windows\system32\OpenWith.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+d158a|C:\Windows\System32\SHELL32.dll+84a04|C:\Windows\System32\SHELL32.dll+84658|C:\Windows\System32\SHELL32.dll+2f452d|C:\Windows\System32\SHELL32.dll+2f05b9|C:\Windows\system32\twinui.dll+39b29c|C:\Windows\system32\twinui.dll+395cd5|C:\Windows\system32\twinui.dll+396847|C:\Windows\system32\twinui.dll+5672e6|C:\Windows\System32\DUI70.dll+31195|C:\Windows\System32\DUI70.dll+48c18|C:\Windows\System32\DUI70.dll+186cb|C:\Windows\System32\DUser.dll+b876|C:\Windows\System32\DUser.dll+b5b3|C:\Windows\System32\DUser.dll+b306|C:\Windows\System32\DUI70.dll+2e058|C:\Windows\System32\DUI70.dll+a31fc 10341000x80000000000000001046360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.456{5EBD8912-86C0-6151-AF79-00000000FC01}52327084C:\Windows\system32\OpenWith.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+d1578|C:\Windows\System32\SHELL32.dll+84a04|C:\Windows\System32\SHELL32.dll+84658|C:\Windows\System32\SHELL32.dll+2f452d|C:\Windows\System32\SHELL32.dll+2f05b9|C:\Windows\system32\twinui.dll+39b29c|C:\Windows\system32\twinui.dll+395cd5|C:\Windows\system32\twinui.dll+396847|C:\Windows\system32\twinui.dll+5672e6|C:\Windows\System32\DUI70.dll+31195|C:\Windows\System32\DUI70.dll+48c18|C:\Windows\System32\DUI70.dll+186cb|C:\Windows\System32\DUser.dll+b876|C:\Windows\System32\DUser.dll+b5b3|C:\Windows\System32\DUser.dll+b306|C:\Windows\System32\DUI70.dll+2e058 10341000x80000000000000001046359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.456{5EBD8912-86C0-6151-AF79-00000000FC01}52327084C:\Windows\system32\OpenWith.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+d1578|C:\Windows\System32\SHELL32.dll+84a04|C:\Windows\System32\SHELL32.dll+84658|C:\Windows\System32\SHELL32.dll+2f452d|C:\Windows\System32\SHELL32.dll+2f05b9|C:\Windows\system32\twinui.dll+39b29c|C:\Windows\system32\twinui.dll+395cd5|C:\Windows\system32\twinui.dll+396847|C:\Windows\system32\twinui.dll+5672e6|C:\Windows\System32\DUI70.dll+31195|C:\Windows\System32\DUI70.dll+48c18|C:\Windows\System32\DUI70.dll+186cb|C:\Windows\System32\DUser.dll+b876|C:\Windows\System32\DUser.dll+b5b3|C:\Windows\System32\DUser.dll+b306|C:\Windows\System32\DUI70.dll+2e058|C:\Windows\System32\DUI70.dll+a31fc 10341000x80000000000000001046358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.456{5EBD8912-79C0-6151-E577-00000000FC01}42964848C:\Windows\Explorer.EXE{5EBD8912-86C0-6151-AF79-00000000FC01}5232C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\Windows.UI.Immersive.dll+2f6d|C:\Windows\System32\Windows.UI.Immersive.dll+2e0d|C:\Windows\System32\Windows.UI.Immersive.dll+2524|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 354300x80000000000000001046357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:33.811{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65509-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.172{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D72DA320E01B870542450ECC0D138F96,SHA256=DF58F477DD82E20A35FEDBD8DF12449B29E4F846F0FD3AF89CD72F9F0CEA5BC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:36.733{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D735C9C541C44927DDA82A12B4E9C1,SHA256=1DE8FCE79E16504E9DFF656518EF32805E3AAD470B99D407F00279AE2D1F961E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:36.541{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=139796F7377317575FA73F6B0A702DE9,SHA256=09A0D527BA89E4BCD4EB4F22F085C1E523B7228F6198F3C221DC8A4654FFC2FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:36.372{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED5C0ADDF6C986333624A23623281F2E,SHA256=CA9B833F600C480CB243C738C323C96831A12CD9CC9C4F769BBF68A06CFB5989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:36.256{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:33.528{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-17638-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000975011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:33.067{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58016-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:35.998{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15DE74E8DA495753E6EE71344F53EAA5,SHA256=6C1BBB64C25EE0E4EDFA26EF8C11EFC82275F92B1ED88B95698E7C8D09EAF916,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:36.040{5EBD8912-7F30-614D-1600-00000000FC01}12681196C:\Windows\system32\svchost.exe{5EBD8912-86CC-6151-B579-00000000FC01}4232C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:36.040{5EBD8912-7F30-614D-1600-00000000FC01}12681316C:\Windows\system32\svchost.exe{5EBD8912-86CC-6151-B579-00000000FC01}4232C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:36.040{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-86CC-6151-B579-00000000FC01}4232C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:36.037{5EBD8912-79BB-6151-D077-00000000FC01}46122872C:\Windows\system32\csrss.exe{5EBD8912-86CC-6151-B579-00000000FC01}4232C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:36.019{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-86CC-6151-B579-00000000FC01}4232C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:36.019{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-86CC-6151-B579-00000000FC01}4232C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:37.970{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-86CD-6151-4F79-00000000FD01}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:37.954{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:37.954{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:37.954{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:37.954{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:37.954{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:37.954{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:37.954{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:37.954{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:37.954{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:37.954{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-86CD-6151-4F79-00000000FD01}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000975017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:37.954{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-86CD-6151-4F79-00000000FD01}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000975016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:37.941{69CF5F33-86CD-6151-4F79-00000000FD01}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000975015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:37.735{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33D4605C5A8B956CEFA4B43AC22F0A96,SHA256=CCD33996AFC91FFB40019B5E33CF61FC0E5D84E9234095C5C1B9ACC9E070CA53,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:35.926{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65510-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001046457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:37.272{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0833ED6C876E08411E6998052A87CC99,SHA256=39E22482E89E6D10C974D32C4F2DAEC20A4969515B19205A5F341A436E748E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:37.692{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4291MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:38.765{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBFB5CB6B6A80458274E135F56EAAE9A,SHA256=7509A9C592145833E049E906A31280286D55326612C34F3558502297D4106671,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:38.786{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B379-00000000FC01}2116c:\windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:38.786{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B379-00000000FC01}2116c:\windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:38.786{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B379-00000000FC01}2116c:\windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:38.771{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B479-00000000FC01}5992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:38.771{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B479-00000000FC01}5992C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:38.771{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B479-00000000FC01}5992C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:38.771{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86CB-6151-B479-00000000FC01}5992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:38.286{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA3AC12FD20F0159DC62C2D400BBB40,SHA256=95826BF4E9036AB58129C65B4C7E9CC8EA438F5CAABEDB80D982A4F01568368F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:38.705{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4292MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:38.267{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D26E327A26E566978669DFF181B8BA01,SHA256=A95A504C7A5183F856A3B2549CDA4659CCF178F106B64230BB096B1A9B81B23F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:36.783{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59181-false10.0.1.12-8000- 23542300x8000000000000000975032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:39.799{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508BC7B708C1F65EE7AF67793265C1C7,SHA256=4061A6804DCFB749496C6F8A8890FB4CEB372B4850BD70B366968E86088FDB4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:39.302{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C2C9CB0F9B10864B16174FE1E5F8988,SHA256=F204D345FE0D47A21EFF518CBA98D694DAC5851502AC7E707733D0E416D2AB6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:39.117{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=157DE7722F836B37EB9C488A799C3A85,SHA256=4579F57DB31C8FD25D02A702DE8A82F773D20314AF5C0E6339934DF27D1B7BF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:38.947{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65511-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:40.317{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFD11168F8B2FAC95533E00D66B7594E,SHA256=B89D33D51C0FD9E58E36E3CCA1567E79D81751B350DC86DAC47F32211C4C6EF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:37.403{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-44622-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:40.768{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=268A31F17D8CB147889B7D41FD8C4C3E,SHA256=E7D83231A4CD97831F3BCC74C99C63E315F354D1155BB065D3389228008824EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:41.335{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70ED8E6A74D6D8D7D2B74B308E7AE8E8,SHA256=ED1B31565BB77B478967CBB026E087B6D4F488E17B1A4ABBCC7E72D92A98C6CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:38.549{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-58723-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000975037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:37.714{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61137-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:41.002{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4989C3DB2B3B354B5A3C2AA759A2C657,SHA256=F2D221C10075C4A6E93A6B7E534B4E3AC9337F4A8515D1E01DE0B28F50404906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:42.687{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23828FD968BAB1FE5462D0FE757F6D5A,SHA256=BE6AB876BE1A954515C49CA305D3664B93986913439020B43FBCC10BFEA8A089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:42.687{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B54EADEB27CF3B3CC7EBCD8ADE5E395,SHA256=F3329C5EAFA28C604FAA09916530FB3B8122E12AA5E12B7B47FD22F1271D8952,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:40.720{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62261-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:42.387{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=945DDDD3356F7DDA5C7D79B75218AC83,SHA256=017909CDA7DE20002029C3470199B37D7FADEE95FF69C130F28D17D6A34A9A51,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:40.303{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-1378-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:42.127{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE43C2A2AA7EA35C90B9E7927848D525,SHA256=09EDAF3092990D73576CEFBCCA483BB63A2D189FEE0ECE68C107164595EC0D82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:43.516{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F8050BD58406BE07155865A3F38EC2C,SHA256=345E5700BCF809F98004A20EEC9CD74AD15581C605F582784A4ADC56CA1F6DB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:43.188{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FBFDD071C3D3290FACE5037803E17CA,SHA256=E2F78859EE23FCFEB21D894585B2FB79C3CDE0592C6FBC44075B952F446D256E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:43.418{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B4E600EF7352A721D423115B3DAC627,SHA256=31E6CE9DCAFEE1A225056CBD5EF4476AF72B9E886B46293E8797D34AF55EF6AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:44.235{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A672CEC8F3CD46F00C2FBADF96F1DE20,SHA256=0B34894C9B7989ED82C7A43B85FA4C5CFE2FB062F25AEDF30350DD75379F3CF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.870{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-86D4-6151-BB79-00000000FC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.870{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.870{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.870{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.870{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.870{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-86D4-6151-BB79-00000000FC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.870{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-86D4-6151-BB79-00000000FC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.855{5EBD8912-86D4-6151-BB79-00000000FC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.470{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE78F517E7673764D8C9DFBF669AE0A1,SHA256=1208136BCFCEB44A87FC928064F98577B787989D7B1965F1CAA9CF72C2793367,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.455{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B879-00000000FC01}6540C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.455{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B879-00000000FC01}6540C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.455{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B879-00000000FC01}6540C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.439{5EBD8912-79BF-6151-DE77-00000000FC01}43084552C:\Windows\system32\taskhostw.exe{5EBD8912-86D4-6151-B879-00000000FC01}6540C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.439{5EBD8912-79BF-6151-DE77-00000000FC01}43084552C:\Windows\system32\taskhostw.exe{5EBD8912-86D4-6151-B879-00000000FC01}6540C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.435{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32ACA0DA98299B0388C0C2241B07309D,SHA256=8347796E2481342BD3BC8D3DA93F3557F691689A1FE70632131AC21702BDE752,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.417{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B879-00000000FC01}6540C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.417{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B879-00000000FC01}6540C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.417{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B879-00000000FC01}6540C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.417{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B879-00000000FC01}6540C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.417{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B879-00000000FC01}6540C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.417{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B879-00000000FC01}6540C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.417{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B879-00000000FC01}6540C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.417{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B879-00000000FC01}6540C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.401{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B979-00000000FC01}3964c:\windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.401{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B979-00000000FC01}3964c:\windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.401{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B979-00000000FC01}3964c:\windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.386{5EBD8912-79BF-6151-DE77-00000000FC01}43084552C:\Windows\system32\taskhostw.exe{5EBD8912-86D4-6151-BA79-00000000FC01}7068C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.386{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-86D4-6151-B879-00000000FC01}6540C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.386{5EBD8912-79BF-6151-DE77-00000000FC01}43084552C:\Windows\system32\taskhostw.exe{5EBD8912-86D4-6151-BA79-00000000FC01}7068C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.370{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B979-00000000FC01}3964c:\windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.370{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B979-00000000FC01}3964c:\windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.370{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B979-00000000FC01}3964c:\windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.370{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B979-00000000FC01}3964c:\windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.370{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-BA79-00000000FC01}7068C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.370{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-BA79-00000000FC01}7068C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.370{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-BA79-00000000FC01}7068C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.370{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-BA79-00000000FC01}7068C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.354{5EBD8912-7F30-614D-1600-00000000FC01}12681196C:\Windows\system32\svchost.exe{5EBD8912-86D4-6151-B879-00000000FC01}6540C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.354{5EBD8912-7F30-614D-1600-00000000FC01}12681316C:\Windows\system32\svchost.exe{5EBD8912-86D4-6151-B879-00000000FC01}6540C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.354{5EBD8912-7F30-614D-1600-00000000FC01}12681196C:\Windows\system32\svchost.exe{5EBD8912-86D4-6151-BA79-00000000FC01}7068C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.354{5EBD8912-7F30-614D-1600-00000000FC01}12681316C:\Windows\system32\svchost.exe{5EBD8912-86D4-6151-BA79-00000000FC01}7068C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.339{5EBD8912-86D4-6151-BA79-00000000FC01}70685324C:\Windows\system32\conhost.exe{5EBD8912-86D4-6151-B979-00000000FC01}3964c:\windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.317{5EBD8912-79BB-6151-D077-00000000FC01}46122872C:\Windows\system32\csrss.exe{5EBD8912-86D4-6151-BA79-00000000FC01}7068C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.317{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.317{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.317{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.317{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.317{5EBD8912-79BB-6151-D077-00000000FC01}46125756C:\Windows\system32\csrss.exe{5EBD8912-86D4-6151-B979-00000000FC01}3964c:\windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.317{5EBD8912-86D4-6151-B679-00000000FC01}43885960C:\Windows\system32\cmd.exe{5EBD8912-86D4-6151-B979-00000000FC01}3964c:\windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+1b13|C:\Windows\system32\cmd.exe+c9d2|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.324{5EBD8912-86D4-6151-B979-00000000FC01}3964C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exec:\windows\system32\cmd.exe C:\Temp\ATTACKRANGE\Administrator{5EBD8912-79BE-6151-7ED6-4A0400000000}0x44ad67e2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-86D4-6151-B679-00000000FC01}4388C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\evil.bat" " 10341000x80000000000000001046510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.317{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.317{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.317{5EBD8912-79BB-6151-D077-00000000FC01}46122872C:\Windows\system32\csrss.exe{5EBD8912-86D4-6151-B879-00000000FC01}6540C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.317{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.317{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.317{5EBD8912-86D4-6151-B679-00000000FC01}43885960C:\Windows\system32\cmd.exe{5EBD8912-86D4-6151-B879-00000000FC01}6540C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+1b13|C:\Windows\system32\cmd.exe+c9d2|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.319{5EBD8912-86D4-6151-B879-00000000FC01}6540C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{5EBD8912-79BE-6151-7ED6-4A0400000000}0x44ad67e2HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{5EBD8912-86D4-6151-B679-00000000FC01}4388C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\evil.bat" " 10341000x80000000000000001046503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.301{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B679-00000000FC01}4388C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.301{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B679-00000000FC01}4388C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.301{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B679-00000000FC01}4388C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.286{5EBD8912-79BF-6151-DE77-00000000FC01}43084552C:\Windows\system32\taskhostw.exe{5EBD8912-86D4-6151-B779-00000000FC01}4156C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.286{5EBD8912-79BF-6151-DE77-00000000FC01}43084552C:\Windows\system32\taskhostw.exe{5EBD8912-86D4-6151-B779-00000000FC01}4156C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.286{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B679-00000000FC01}4388C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.286{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B679-00000000FC01}4388C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.286{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B679-00000000FC01}4388C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.286{5EBD8912-79C0-6151-E577-00000000FC01}42964904C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B679-00000000FC01}4388C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.286{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B779-00000000FC01}4156C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.286{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B779-00000000FC01}4156C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.286{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B779-00000000FC01}4156C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.286{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B779-00000000FC01}4156C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.270{5EBD8912-7F30-614D-1600-00000000FC01}12681196C:\Windows\system32\svchost.exe{5EBD8912-86D4-6151-B779-00000000FC01}4156C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.270{5EBD8912-7F30-614D-1600-00000000FC01}12681316C:\Windows\system32\svchost.exe{5EBD8912-86D4-6151-B779-00000000FC01}4156C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.270{5EBD8912-86D4-6151-B779-00000000FC01}41565332C:\Windows\system32\conhost.exe{5EBD8912-86D4-6151-B679-00000000FC01}4388C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.254{5EBD8912-79BB-6151-D077-00000000FC01}46124936C:\Windows\system32\csrss.exe{5EBD8912-86D4-6151-B779-00000000FC01}4156C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.254{5EBD8912-7F30-614D-1000-00000000FC01}3804736C:\Windows\System32\svchost.exe{5EBD8912-86D4-6151-B679-00000000FC01}4388C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.254{5EBD8912-7F30-614D-1000-00000000FC01}3804736C:\Windows\System32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.254{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.254{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.239{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.239{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.239{5EBD8912-79BB-6151-D077-00000000FC01}46122872C:\Windows\system32\csrss.exe{5EBD8912-86D4-6151-B679-00000000FC01}4388C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.239{5EBD8912-79C0-6151-E577-00000000FC01}42964336C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B679-00000000FC01}4388C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+18cf2c|C:\Windows\System32\SHELL32.dll+18cc83|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.253{5EBD8912-86D4-6151-B679-00000000FC01}4388C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Temp\evil.bat" "C:\Temp\ATTACKRANGE\Administrator{5EBD8912-79BE-6151-7ED6-4A0400000000}0x44ad67e2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 13241300x80000000000000001046477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 08:54:44.233{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids\txtfileBinary Data 10341000x80000000000000001046570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:45.540{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-86D5-6151-BC79-00000000FC01}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:45.540{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:45.540{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:45.540{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:45.540{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:45.540{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-86D5-6151-BC79-00000000FC01}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:45.540{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-86D5-6151-BC79-00000000FC01}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:45.535{5EBD8912-86D5-6151-BC79-00000000FC01}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:45.487{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAEB9CCF1F4ECE2158FDA3663C02B3DB,SHA256=12738B05FA934B819AAB5CF0AA27C2673BC6672B66D871D4EDA2E1AB3A48CC5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:45.797{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DB500F2B6F2E25866EE63B085F4CA48,SHA256=2A80550664B600C15E15B6787E145D2B3C0267B7E1EAE47EBFA4CBCDBB9924C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:45.375{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B25215CE1B8C684BCB822183F0D656F,SHA256=1DBB199543164BAE97ECDC22085D384A21A529021FFEF50C36BDABBE4D03A83C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:45.339{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23828FD968BAB1FE5462D0FE757F6D5A,SHA256=BE6AB876BE1A954515C49CA305D3664B93986913439020B43FBCC10BFEA8A089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:46.391{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=659881828487D1151D85002317EDB9DD,SHA256=7295E390E757CC652A4F1F80DD881C40848957B224021CFED46A9D31EBC3CF2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:44.847{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65512-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:46.571{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37F620637A9CE4F6D868EFA0C9F57AB7,SHA256=A4197800AF8DB1F48409A31017C867707C4E2FED57BBB86DEB498E164648B630,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:46.517{5EBD8912-86D6-6151-BD79-00000000FC01}71243752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:46.517{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44426676A487D1754EB56C3210541E80,SHA256=C14CB988876FE990FF8146F82FDF9E14B871D5FEC4D1545DE060CF412D24F23A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:46.402{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B979-00000000FC01}3964c:\windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:46.402{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B979-00000000FC01}3964c:\windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:46.402{5EBD8912-79C0-6151-E577-00000000FC01}42964348C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-B979-00000000FC01}3964c:\windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:46.386{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-BA79-00000000FC01}7068C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:46.386{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-BA79-00000000FC01}7068C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:46.386{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-BA79-00000000FC01}7068C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:46.386{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-86D4-6151-BA79-00000000FC01}7068C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:46.239{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-86D6-6151-BD79-00000000FC01}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:46.239{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-86D6-6151-BD79-00000000FC01}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:46.239{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:46.239{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:46.239{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:46.239{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:46.239{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-86D6-6151-BD79-00000000FC01}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:46.218{5EBD8912-86D6-6151-BD79-00000000FC01}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000975047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:42.766{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59182-false10.0.1.12-8000- 354300x8000000000000000975046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:42.579{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-15501-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:47.625{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10F56F348894B9EB08A697BA2188B4CD,SHA256=D5E3CB888E2EF432672342E26F9E975C6F15E32C2868D2AC8326122CF4E47F44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:47.586{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D19B73E77E8D3C9D8E0CA5D8871594A1,SHA256=16E2980644F3A6CC4CAA4A142441B3ECCC14CEF25F7AA58D366D15394338CFE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:47.570{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21075004D75117FBFED418C65F8F564F,SHA256=24B8A41198DD44CF71E2693070D67C8B0A81CCABCF0DD7FA4FC0B47EEB8A6692,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:45.123{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65059-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:48.585{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC312905F8FDAEDEA750FD96E804247,SHA256=1CB2F868965404934FA71F381029679551A25198E05F2016AB6BE096012999B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:48.859{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8D8664650DEC40383D62C2893E2C0B8,SHA256=68022D55D6E29BB48D2E8A2D8514C9E1AB9402F9F95D54724DA958137DCB8088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:48.219{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=347D2DF0D28E0CA9EE27578B72A6AA35,SHA256=829457BD318F2F44045B1126A223E166C44A4B33FBBFFA12DCA9C3383A9C7258,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:44.915{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-28454-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001046593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:45.934{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63525-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:49.633{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1B850DB8592D10007C9B3FE745CE4DA,SHA256=9895FBB26590C3FD28AECACAA08427B2C924C7F7FC0AA63A3FAAEC48CD9F24FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:49.875{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=670F2068421724BEBE5300A2C5F13014,SHA256=1CA6E31895D782E5B907A3AC8CD5CB52C30C76267FCE46D6FFE9978AC1D3671A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:50.875{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98AB491AF7CE05153D6701C3B4BFF85E,SHA256=2EF8D277778772C9A404C2061BC280B0FDA61084B41FE86764CD14DACCADB6A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:50.669{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFC570ED739503D33AB13C1E1C5C165C,SHA256=78D6D0AF0BAE65B5FEC4ECCF14F024948C5601DA20D5720974B375876887B7F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:47.346{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-43030-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:51.875{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73FFFEBEA5D4EE26DAE41999FEB8CDD3,SHA256=2E15A5A914C0980C6F1D4D7036197F4E7157734EA6713407C118847A6EBEEB25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:51.685{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C325E8A24EE085EE4E4B81DB84A2B07A,SHA256=CBFA696175018B8D13BEDDC9094F814AC3F49B8A2F0E1F79140268863A815FE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:48.767{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59183-false10.0.1.12-8000- 354300x8000000000000000975057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:48.463{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51403-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:51.234{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0257E4C56E521CC32B001CE86418AF83,SHA256=D215E924EF36D1B5BC95CAFD30538940FE8F93EE9EA0A1E3C2C31824361DF2B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:49.549{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51426-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:51.169{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3A5F039325BBB754AA8B68E676AB7F0,SHA256=F916C8817D99AB76B716E377A087A7E8B5A9DAF74D17C1B7DEB244A663467A82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:52.891{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=458BD12E2CA4B8534B294A114136F13B,SHA256=3F7860A0D9823606D29E29A5059BF49CD40CFA0C641BE41618C7B8349D7BB05B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:52.700{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36C7B8E4197E89433A9928C934011BA3,SHA256=1C61856D8A2E8F993A26261F9E53F0EF7299E649A23D4B7E4CDB0DEB1F6D1BB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:50.808{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65513-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000975061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:53.891{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1A0885B612C1CE4F1BEEB8845F2C072,SHA256=C023E95E1BBABC6AC7BED715652DA614B2174FF4DFB96E371239FB919EB91452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:53.700{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ECB29C0F4BA05040DE2BB007B7CCC13,SHA256=580F33E2DB471786A87C5D36C3E70894BB270841FDA53821031E618433F25E61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:53.569{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=E4900C402EF6367FA65AF78CE068700B,SHA256=5A95317EFD71F080FD0C9FB252FD369A34D262EEA8ECCD15B4EA8AD62A94A23C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:53.569{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=ABA5931EC8C16D911816E51828A7BC9D,SHA256=91227D79F350C8FFDA8E87259A56F6508E76DFCAFB7BA79E5D6444E71414B5DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:53.569{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=4008307FA1CFA1E4DB56DEC338DB6020,SHA256=690C89D4FED89AD1354238CD39CFF2674E231B79306DFB90CE73BCEC71981E9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:53.569{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=A1BE0B726B31FEB9C72F6B7EF1A20A48,SHA256=26E0389FB090883D9267E1E8D85AF2F094694BB830653405633E1C3E1021D699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:53.569{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=3DA11774712F2E297FBC7EDC039AF09B,SHA256=B2158B4016D1247945BEAF122820C9978484F9E648C26FB40B7A1B12BEF14230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:53.569{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=DE9C0CCA57BDED6D8BA488CF41344DC9,SHA256=6A5D51D8D2FC6E6445D94641D57B0E15D56CCE8999FB2A152987F28361F5A273,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:54.754{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-86DE-6151-BF79-00000000FC01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:54.754{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:54.754{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:54.754{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:54.754{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:54.754{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-86DE-6151-BF79-00000000FC01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:54.754{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-86DE-6151-BF79-00000000FC01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:54.733{5EBD8912-86DE-6151-BF79-00000000FC01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:54.701{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A03DD6954A46E6145D9E7D0D9751767,SHA256=DD42AD0453761946A3C463A0852116FC05AA33BB64618879417371497A17F8AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:54.891{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=817E33427E56DE25E18AE5129026DFAA,SHA256=1748214793B3BF231F1880A8E78B2BEC1C1EE4A76E192F1068C7D93847E4D5F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:51.143{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-1310-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001046617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:54.337{5EBD8912-86DE-6151-BE79-00000000FC01}42042744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:54.069{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-86DE-6151-BE79-00000000FC01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:54.069{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:54.069{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:54.069{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:54.069{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:54.069{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-86DE-6151-BE79-00000000FC01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:54.069{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-86DE-6151-BE79-00000000FC01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:54.055{5EBD8912-86DE-6151-BE79-00000000FC01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000975066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:55.906{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D601A4B1E6434E19959EF5F972AA13DD,SHA256=B06BBF458EF500A9C9B81FA198DF0AC3DC0C8A0E30BDEB9A5245AA328B212D9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:55.916{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=808BA2AE6551A6A24EC06DAB10FAFBA2,SHA256=C713486D0ED9D4667D32714F03A7DBA7B0DFDF57522818205A0BB156A7F86B4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:55.616{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-86DF-6151-C079-00000000FC01}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:55.616{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:55.616{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:55.616{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:55.616{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-86DF-6151-C079-00000000FC01}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:55.616{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:55.616{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-86DF-6151-C079-00000000FC01}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:55.602{5EBD8912-86DF-6151-C079-00000000FC01}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001046628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:55.069{5EBD8912-86DE-6151-BF79-00000000FC01}67403380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:55.061{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CDEE044226B97723BC1C9AF4D9F0A6C,SHA256=82CD9615ED8CDA92C3C289234B3AD3DA55C530C0652E9BAB385E27379D8D6705,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:52.309{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54407-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:55.016{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0DE30297E48439ADFBA8BA6765D077B,SHA256=4D8F17125DA467865EE3A0CA2F7621CD5562A500895A91647BC2B0FBDA5F5F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:56.922{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF41527B3848644BA14F3D8206FE885E,SHA256=653E0B9FB60B21DD019DF5E431CF4EED75778409981991D7DF34593CDFA4A663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:56.965{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68081E7EE6B4A63D6B65883552B3F5DD,SHA256=AB93C33A2EAC034D1E138AD6EFC18B518D5114DA40B2A0B64E837F142AFDF471,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:53.876{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59184-false10.0.1.12-8000- 23542300x80000000000000001046647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:56.602{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85864C4BA647D434345425ABE3221D06,SHA256=DC5B1FFE57B4BACE450200E52626E45EFF1932C3CB099D2519792EE2D2D62F8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:56.488{5EBD8912-86E0-6151-C179-00000000FC01}43682868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:56.317{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-86E0-6151-C179-00000000FC01}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:56.317{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:56.317{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:56.317{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:56.317{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:56.317{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-86E0-6151-C179-00000000FC01}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:56.317{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-86E0-6151-C179-00000000FC01}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:56.302{5EBD8912-86E0-6151-C179-00000000FC01}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000975069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:57.937{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F24B8FDB97EB6C63B9020D3C1050DBEE,SHA256=7A90ADF5F24C5D62C72D2353A5953EA92AB1B3D01256C2B2F2FC22D02FAE44FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:58.953{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41BADFFA129BBB08EC433ED54798E345,SHA256=2CD0BE090E6396B323A82565995AAE0B5E9FD2B891AC50B28D0BC23413D0B75C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:56.725{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65514-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:58.585{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=DB7F5235C7BACBEF6591D5EBC12EE8D1,SHA256=99EA7E190371D01396D81E9690BBEEF47027D89FA17F275DC8CF6235E1D6AD07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:58.585{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=E5AAADF6733025E85981E845A57F551C,SHA256=59A5E4F80F445FF70260942DCB718FA9D9D977EFB6533E88AC991117C3D41948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:58.584{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=70E55C30B33CF190B34BE1DFEC44DF4A,SHA256=CD13133AB706E51D75B61936C3CEE9902362BECF668C146399C202E025A49DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:58.582{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=2C896C423C47AFB702FD4D385C48047D,SHA256=12DE88A5C1623AC5E80B8AFA4C2A1CBF043083D0C22E8371D0637319C75640EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:58.581{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=952E7502520B0E88453E02269CFC7FBC,SHA256=EE1A6E54643565738CB678B316CD12B303A6FBAA98C7B9858E2E7334D9C3994B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:58.580{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=6363DDE152F6B562D7C0FC120F528A40,SHA256=99E175ED9355AE5CE8569F21A0525B41AE648F9903981A209923FDE0DE9B79D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:58.001{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4821AD28D4218F6C109665A31B0B1DF6,SHA256=936902E2CCEB906ABE4457DAF6744DDFE060E644CB79F53749476EBD3AA4560F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:55.683{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55737-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000975071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:55.106{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-28522-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:58.437{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34DE2C5FFCF8FFAF3CE9E141286F8645,SHA256=D4446163E7590E16F1AEAF45B922E5832A84BE32411ED108372C5A1CE7C06588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:59.969{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4053CD22D4DCF16E39C79717F4259779,SHA256=C277592E1DDE6D32CE79321EC4FCA570C9BD089B4B85C5B5CD1637ADC80B3374,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:54:59.031{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18AF2C1C09C36E0447C8394B9D0BAA0C,SHA256=15EE547D044340072263228700C44F9F9A0D6F8CA11471D3AEF9665193BC7F88,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:57.056{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56731-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:00.984{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9551CFDFEBD861E642FED5885A81D262,SHA256=E94D8D0170511CBA7F7B97E581A931788F9BD12B62B487F0869110365022C12B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:00.061{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC69BF77DE725DFCEB88B4B34C366710,SHA256=FFD53255151BDB7309D518950ADE266D52C8B50EBC4D1DDDE347C65CC3C6BCCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:00.297{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D8312E28A6DAD4C86ED4FADFEB37850,SHA256=B66D41428DE94B75E65C9A0350EF1C148F4F34B79C09481AFED44BAC1FB14D1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:01.104{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF6A7C8F6BF9202DCA36D742A705350,SHA256=D0DBD7D93D2674582BE781E392CBB76511E1DF49B3D14FA57CD04306F45B103E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:57.782{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-43889-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001046660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:02.119{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA2302F14542B32B853BEED9CB5B023,SHA256=F80A3DF13E905B1FB4A0756BD9845BD275C76542594164A6CF9A1C9CEFA95248,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:54:59.813{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59185-false10.0.1.12-8000- 23542300x8000000000000000975079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:02.000{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13D62D71DB8F675F88B9825431FB8F35,SHA256=A7953A43A08DE97A263AE299FCB1A0311B843E64C9BE5410356B6E6B6122DA21,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:01.828{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65515-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:03.134{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=877C05754C3E7122AAFCFBDE4999FF41,SHA256=BE1FF4F4ED132492E9B6541157478B55978D357AD8F152F7528AC2EF0AAA5BA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:00.250{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-59013-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:03.521{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94BDCCB51B8A9F1A07ED27B897B3C9DF,SHA256=BF69FDA63FC0A9649946DC6675179586F57827EE5D84218F49F426C0D3C3DBD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:03.006{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08CD894A6428A24C01AD3BD5575B31C7,SHA256=6AF339BA62987BA3581FB81ADB4B00262F40CF6D4DF3F8A3B5688D3A16AF0B11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:04.386{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B36504F6CB0F4E66EEBF63940233E8BA,SHA256=B92697951AED1C20ABE061CB9F58EBA87457FB2C83BE1C596C487613D4873CE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:04.384{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64E5E7E17C770C4F60809EEFE6EC3B16,SHA256=9E0FCFCBEB40CA5863C41DCF971A4C5D7D92A3EAEE05D0F4DC7D374B53EAE40E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:04.165{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07EF128E77B109DC8D3F1D691BDD4302,SHA256=A57E0F1A095538FDA6B198F22A9163EEC4B2B24BE319B2FC78672731C35DA079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:04.021{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33FB3CC2F39D8999A1ECA690335FB44E,SHA256=55F28CFE4D7F302C053B3C11F7F9680E264E5DA86F2E8242B0B0EBEC518D20FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:05.037{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22853906B39D6A2784A1769AFCCAB4D3,SHA256=000AB3B52ADE09F1BF837F697A3861BD940F3033303E9B6B77F2ECFD40E54126,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:03.112{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59934-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001046667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:02.732{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61422-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:05.317{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F27C38673A419C4284683668CBE05227,SHA256=5907EA52EB3E55EB5A0D550A080771EA2ACBD107064532EDDD158FC304634658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:06.386{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=318553119478C572E560BE86B23B50BE,SHA256=40493702492B590F5565108AA4D6020569A51796D61078A8607CC3B307E0BAC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:06.052{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D91A6DC4AA310DF440370A46B4792CB,SHA256=C07D0F89A8D16488B745E9B8D7546420AB111B43227C883BF7254BA34976F1FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:06.186{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4291MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:06.004{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B36504F6CB0F4E66EEBF63940233E8BA,SHA256=B92697951AED1C20ABE061CB9F58EBA87457FB2C83BE1C596C487613D4873CE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:05.625{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63551-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:07.418{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A16B3BF26C283A28AE8C83320D51809,SHA256=4AA96919718B12F30007C01A535DBF042202D4CF1763E685065DEFB07420B3EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000975091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:07.677{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:07.677{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:07.677{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000975088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:03.368{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-13068-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:07.068{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4D6939CC43A10ED8D78362775B11A8F,SHA256=E270E51E00D2A25875B56CAF46AD6DF28E0D8188FD67892EA166BC766F34D98D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:07.232{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C831C4D76CD295A325BD4A92B155C14,SHA256=063F448CC9F1881C7E741C4D2D784927739004E0EB55060275E330644FEF3D27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:07.204{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4292MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:08.434{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1868D6A57B5DEA3BF634067913060D7,SHA256=CD05738ED6A3B0E513700107488326D6D4DA68E338F3C3951F3F535520B12F5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:08.224{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=881C1EE27E4BC2222DCCBD290C57179F,SHA256=7F61BBF080BF80A008066CDEEAD7D33164D23C8AE48B2619C852AC0DFA74CC32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:08.084{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=327B3C44EA32405E9529FA8BDC284DC5,SHA256=ED4A364F9B72BABEE992235DC0FE7EFEC88AD4B24781375A9189C077BE6A6D89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:09.448{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA240F6592DE5E6F29DE9E46F2BF2C6,SHA256=6CE300350B8CFB997FBE7FFB1E6A408F1CC071A86045E90880B0B68C167D8D67,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:05.819{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59186-false10.0.1.12-8000- 23542300x8000000000000000975094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:09.084{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCB1BBFAC6D923B7D385DC236B0AAF59,SHA256=FF80E7C2084FCDC5AC88D978EF1B203C5E42B854F2CB0BD8B822917E4708D311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:10.463{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=082A4B4AC553BC1A3E89B3DB30531737,SHA256=D0235441B5B9347D00F66C385C8018FBAD34DF6A9968261F75E86813460557B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:07.330{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-40831-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:10.474{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAD7447EE850E80511B529C0C8E6448F,SHA256=2426D758FF66C5F6D3C6752D4515257A45A684F2E2427F5EA8603F2B7F7C2105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:10.099{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE495E1FA63993FBBA72F0C952268DC,SHA256=BC8A4B7B4AD27B25F8A9B2D6A4C90B5AB469263F2F6395721998DF6DC8CB9A4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:07.772{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65516-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:11.731{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65380974F251DBCDFD4BE5CC645195E6,SHA256=294B35803469B60DED50262C4D04A43F806D518D0FC7C2F89DA81FB40E070598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:11.480{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80AEE937EE26E11A52F8628F4360B4FA,SHA256=D82CC5122AC39759AB917C834AB7838FA246EEFAB6A6BBD89E8A195F61C1D4F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:11.834{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7064F828EE854FDF49E130F8C71E0364,SHA256=833A8E68576AB989A7C1F6CF9AB3CEB05B3F9A148136724E80E7C0F722BDED1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:11.115{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28AF9EA793F0E266F6082784373F5FC2,SHA256=04F3F1D120C5554ED425EDDD5625665BEAF8A932BE2797E7B843414DA8EB84E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:12.515{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E0A83ED36A4AB889AE7C776FCDA5148,SHA256=253189807780E527FB77067C0040462C23AF414863294AD83AE68267D3C52B75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:12.896{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=102AF8189EA5C7F5D501BCD8D0D880BB,SHA256=16A2B2C0404CDC8879C7A4EACCF621A03461224BD9367EEC3D65A42B4A77CA99,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:09.113{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50884-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:12.115{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ADD2AC5607B94244081C71CA707B6C4,SHA256=AE55CE5B7FF1450F88712FE5AFFD3B79A14C6B90146CF2592FA490D0BC178657,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:09.953{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64001-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:13.546{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD16F28AE7F86E6690565BA6760B3D84,SHA256=1AA3B4CC67E96BFB32ED10ED99F1D08B8115707F5724B5473FF1FC9E0ED5F1ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:09.541{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-53689-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:13.318{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:13.318{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A84313282053C7512F4960D0170C46B,SHA256=40E5CBD4E59DB8763DEDD475BFCC42F6F3414529DE9E713D2F65F54A00328587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:14.645{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1EB1E458331A006046B2CBEA2597D73,SHA256=CD2A63794DD34D22A58D21A3EA56EA02020DCA5E101F0B628342010F3C1987C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:14.802{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB821C6E02F8C4D2BA19DCBDFE8107CF,SHA256=7E691C92C25682A0F00417D7FA5FF56FE9FAE663FBD18BE1388BC241B3B4103F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:14.396{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=453E6F1A95668510BFEBF4C4EE9837AA,SHA256=D251279D36EBC3B5C250A39946417B7BF09FCC430B111291BAD4C869C60C0B5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:15.680{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2FB20D125D15835BFFACE79762CF8E2,SHA256=D8A848B335261C92D9AC273786638FF664C54E3A062BC57E879F8691BEFD012E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:12.087{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54373-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000975112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:11.954{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-8684-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000975111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:11.944{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59188-false10.0.1.12-8089- 354300x8000000000000000975110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:11.850{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59187-false10.0.1.12-8000- 23542300x8000000000000000975109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:15.412{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2061537B8B04C1F2DD2C4908B3489AEE,SHA256=8631050C5B55CC25F73A118FC170ECCB40C9DD362D32D1A202ED8BE96AE8CCB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:12.891{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65517-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000975114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:16.474{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4ED285CCF64A59A320B3EA3D3CFF99D,SHA256=9241B4B21D95B84108CF8ED46E493273F5BF58AF6FC7DD7FBF3E17A49E5595AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:16.712{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3E98173A3F61E267E2F9912F1838893,SHA256=03C26FAC7086242074DECCD73B04F3646282A20E4B7D24698447213D3AAC8439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:17.693{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D895B077198EF11FD09A198917FC736,SHA256=4C9A73C9289804BA8B26A890BDFE8AAE0733195ECA2EE5A3B50378B4C58B9642,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:17.714{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8424B0E97B4865142B343F46E095251,SHA256=9B75C1E65D85EA7EC0B649E81C987D048153AEAA1105442D94B0953262F69A4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:13.738{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50705-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:17.099{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCB560B4EE41B833FAECF834D762D97F,SHA256=17F11B94C01425E3D164156D3E02FBC09A71EF03C2875EA0C1B3A0C536AAC9FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:15.290{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51002-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:17.143{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E03A18CD458B5391F172218E015EA3D,SHA256=BC463BFFA1860BBCB5746AE0A306C7CA12F63C6638730A6102C41374BA2DF263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:17.143{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97F19D58D186B21753231C2E248F744B,SHA256=86CE372A652F269C26B3EA07ED6A1D67C3059CE85D58142642D4021F48D70781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:18.912{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE75EA1F80979C84059D61067D8BD85F,SHA256=62DE9CF557DAACC8AC9E395E02C63F8B91D38D47C6E013E1CA77C62F0B3BF767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:18.734{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA37CC67380B306A205F8AA698F5F3E,SHA256=F55655DAB24CFCB889D5334D0B32EEE9C82C4BB19717B109C3510E70B9F11545,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:15.092{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-22279-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001046694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:15.868{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65518-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001046693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:15.868{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65518-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 11241100x80000000000000001046698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:19.782{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\AlternateServices.txt2021-09-27 08:10:19.712 23542300x80000000000000001046697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:19.781{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\AlternateServices.txtMD5=0313CCE8A61040620EEAD5CF43FC71FC,SHA256=F13685ACBD152E83DC9964E006134EE68E6BD0C2DEF462D10FD33FFCD440B55A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:19.749{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4791B6DB589BB11B9EDF48D7D77952A,SHA256=048FE4B697F6C918B019BD4CBF725B4CB5BD4AA06075A0150A0499BF83B8F281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:19.912{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDF16A1B6568F96FBA9D613B0FDE3C21,SHA256=6E7E3182ABD3751202907DD98B5DEBCA6B66D073702A952B56ACC3845DC8240E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:20.752{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D11B1F7A9835F1078CE6F2229BC346,SHA256=D2FD78C607BED348B71085019D39787476634DA891486F28F59C72BF314AA20B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:20.130{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B92958A994D87C0FB8C9FF7F1D7EB0,SHA256=74994A91FEADC082C4A7EFA13FC8DD5CE179858F1B994E3BDBFE6C3D5AC0D5FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:21.752{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A48B61D9724FEC5DE707A498453951F2,SHA256=2E9108651E8D8C5159CB58AA84A64187449A365FFA708F60599BFBE357C492C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:17.866{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59189-false10.0.1.12-8000- 354300x8000000000000000975123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:17.682{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53091-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:21.224{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07E3DA05BD5FDE5D6442926D68CCFD18,SHA256=488527639EB31592AF440C620A307879302DFCE8E4357F8D4A87CECF60B5FC18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:21.521{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\cache2\doomed\30497MD5=3431178F586D5A5DC258C6C13D149162,SHA256=65C515FF59FD19C33D54C23AEEEA49D178F1B2E6768C6807EBFD4FE02F338EDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:18.840{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65519-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:22.786{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F7EDFA49A35351F8FB4D04D55687CB,SHA256=F98E63D7B7837115747A6E2FE42675FA31C296D44297A82FEC85181A03B07273,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:19.831{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-49526-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:22.225{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=405BDB9F43F82C131AA12D9EB29DF9D8,SHA256=1EF437175F798EF399C062DA09D4CFFA47258D1CAA8919A4F7CA2141A4F4C140,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:20.201{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local65520-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x80000000000000001046705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:20.200{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64460- 354300x80000000000000001046704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:20.198{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59156- 354300x80000000000000001046703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:20.198{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59156-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domain 23542300x80000000000000001046708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:23.804{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1403FED87C7317B13A14CC162880E5A,SHA256=A0F21E87D48389DA185CD7C34B3D52EA2B5035DB874502E1B1927C53743CEBDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:23.241{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A02415739769DE62323B7BD845960C08,SHA256=081411EC6C3FB5DF0712A9F67D73C4E4AA0AE85E288D50B849D595DD105B7A3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:24.818{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5CBB383205CFCEB67B5CC53FC9E2E1A,SHA256=F60A6CF5F5BF708F3598651EEFDFA0CD9E641FC15A8D1BB5806AF623A9E76CBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:24.725{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81A8C66F949ACAEBB24C4475A50B9F9F,SHA256=A5698ADE9E835AA3A86094A79BF6BE8D60B3DC2BA67900E5F19D29704E8B5CE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:24.256{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA458E0B7E38353EA41761C45FD1019,SHA256=B9EDBA75E066F35A152B00071D398467CEEB5A63407D1C6655C977871801B230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:25.833{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A08EBE70FAB12946726E853EC5EA3B0,SHA256=3358B7F5C5DA1A25B536C13260F00B52B7DF075E5AFD6FFD018D5D90AC4E9365,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:22.934{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56355-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:25.256{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FEAFB58D9A6AA91AB901767D80FA30F,SHA256=352CAAA2329BB6B9D99B70B917EDE82DE822D31CB2A104E55A50D8C8C8D93C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:25.533{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\cache2\doomed\20572MD5=38F7DE2F952245E06FAAA1FD95CD86C6,SHA256=8A89C8C5B0366B579AFD9268186DA32831A18EDE254DD3962B469F221F4C53DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:26.848{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AE22A3AE71413321EB5DE239C0BF4F2,SHA256=38372408D67DAE9B2AF08CB8F4DB0FB7D43C86E253A59E3A7D9E71CD6E9E720D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000975160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:26.772{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-86FE-6151-5179-00000000FD01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:26.772{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:26.772{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:26.772{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:26.772{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:26.772{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:26.772{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:26.772{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:26.772{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:26.772{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:26.772{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-86FE-6151-5179-00000000FD01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000975149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:26.772{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-86FE-6151-5179-00000000FD01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000975148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:26.757{69CF5F33-86FE-6151-5179-00000000FD01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000975147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:26.272{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15EAB80EB3EFE7E1456664C62DFC0940,SHA256=D813EF5C2A68D76B7CD2EEA949B5A42CC035C69C172F7F385BF4E7525A08898D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:26.817{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3DCD769F31BD544529B1FDE5431AFF1,SHA256=F5B5379F3503628AEFA19B32DF19E57004139A2F03F0A4F6647DD483095B88A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:26.817{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E03A18CD458B5391F172218E015EA3D,SHA256=BC463BFFA1860BBCB5746AE0A306C7CA12F63C6638730A6102C41374BA2DF263,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:24.757{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65521-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000975146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:26.241{69CF5F33-86FE-6151-5079-00000000FD01}33043104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:26.085{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-86FE-6151-5079-00000000FD01}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:26.085{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:26.085{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:26.085{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:26.085{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:26.085{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:26.085{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:26.085{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:26.085{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:26.069{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:26.069{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-86FE-6151-5079-00000000FD01}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000975134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:26.069{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-86FE-6151-5079-00000000FD01}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000975133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:26.070{69CF5F33-86FE-6151-5079-00000000FD01}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000975132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:26.069{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC40638566CE425F64490F9F9F986A14,SHA256=FF91800BD2231416A3953F6704C6D5DAC54EEEC80D2F58E5EA7115AE1D8B2458,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:27.863{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE388E0CD30B5D8E255F54718C102A0,SHA256=8BF4358575D8CC5C6B78E2820ED9AA0805C1D4BAC437B725B416578F7A1779F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000975177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:27.460{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-86FF-6151-5279-00000000FD01}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:27.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:27.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:27.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:27.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:27.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:27.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:27.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:27.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:27.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:27.444{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-86FF-6151-5279-00000000FD01}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000975166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:27.444{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-86FF-6151-5279-00000000FD01}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000975165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:27.445{69CF5F33-86FF-6151-5279-00000000FD01}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000975164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:27.272{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C1E058C73E8276ADA1C9A493379EB51,SHA256=61F456F713C41C18B592A993586DECFF3AD2FB5D368BE2106D1BA1271D460CAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:27.272{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BCB5E6D29566DC0ABBFE41E57A1B2F6,SHA256=2BAF792064BC33F0B9593833C267BBC03B5AA79C5C6817F47BBA84E98B05FB0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:27.632{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001046716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:25.203{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63508-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000975162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:23.867{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59190-false10.0.1.12-8000- 10341000x8000000000000000975161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:26.991{69CF5F33-86FE-6151-5179-00000000FD01}5122548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:28.880{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78FD72A7703E5F7A1A3B60A7752CD393,SHA256=3C192C5DF6A3F6A45CEC055E78A63C74C16D813B7070AC17930C2142C1CC3FA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:24.651{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-18783-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000975206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:28.803{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8700-6151-5479-00000000FD01}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:28.803{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:28.803{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:28.803{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:28.803{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:28.803{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:28.803{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:28.803{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:28.803{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:28.803{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:28.803{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8700-6151-5479-00000000FD01}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000975195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:28.803{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8700-6151-5479-00000000FD01}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000975194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:28.790{69CF5F33-8700-6151-5479-00000000FD01}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000975193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:28.788{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=479CFD921250F9F4BDF327C33D50679D,SHA256=976A9C93C36DB080C93F388B7FE8112583DF092C0437E68C18AAF0FF9A322C54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:28.788{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=253FB812E797A60D60FF4D17066F1192,SHA256=FF113C80C047D7ACE4DB5948372F446C8BFF84FB5F26FCE1DF1BB74FBD7C7FAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000975191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:28.397{69CF5F33-8700-6151-5379-00000000FD01}38963424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001046719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:25.769{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57429-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x8000000000000000975190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:28.147{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8700-6151-5379-00000000FD01}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:28.147{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:28.147{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:28.147{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:28.147{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:28.147{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:28.147{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:28.147{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:28.147{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:28.147{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8700-6151-5379-00000000FD01}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000975180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:28.147{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:28.147{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8700-6151-5379-00000000FD01}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000975178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:28.132{69CF5F33-8700-6151-5379-00000000FD01}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000975223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:29.913{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A76677CC887DC63016B41126BEEBB5D0,SHA256=4BA43D445789090634BBC62C9BEBB2E122AFA1B415344396F0435C5FDD8CFE48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:29.913{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DBCE3372B4E7F5F98BA51B9CE8F1389,SHA256=45FBEFB5A691D84C6626353BA427DF7785DE9C475173D233CCB7712D86EC8AB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:29.899{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC5E843726766B1C1F1C3E99E7946123,SHA256=1CA2C17EEF90BB6E73BE33613B520ABFCA6B99B2B02FBD1F010CE517EB8734F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000975221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:29.538{69CF5F33-8701-6151-5579-00000000FD01}923908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:29.335{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8701-6151-5579-00000000FD01}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:29.335{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:29.335{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:29.335{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:29.335{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:29.335{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:29.335{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:29.335{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:29.335{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:29.335{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:29.335{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8701-6151-5579-00000000FD01}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000975209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:29.335{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8701-6151-5579-00000000FD01}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000975208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:29.320{69CF5F33-8701-6151-5579-00000000FD01}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:30.946{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=674C2F1209A3BCCF4655347F812159AE,SHA256=E10B8AED21596C898A417074F86B8D3134A2E5917C86C80C67077F979D57005C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:31.946{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06CBF01A94B8B5AB586BC62373B05944,SHA256=B54130150852A19DAEAE8E32C45D98314EE3E8F6AF2E2112E6D15BC9D83482CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:31.147{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F8FD2D9CC91683AB417F64054FC964E,SHA256=D8E296D2C04C68E6AF9CE8298AF7623CFD846A4D07605D21E7F6A48B54C81DF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:29.769{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65522-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001046725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:31.179{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:31.178{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:31.178{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:32.961{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78B0C1366446D75769829BC7CD538003,SHA256=2A6CEF24488B14C9DEB6A1A85BEC244EC1EB3C22D3F1347B19DA97D3FD7B90F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:29.352{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-46190-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:32.428{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=26AB04FA57F5AB3B36BACB086DAD3A28,SHA256=AE00114992468E3F9ACE23EBEDC2C988FA331BA1BBF7C0D2AE89F66BFCFADB42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:32.303{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=435756E033CC09A1A3124AD127FD86E9,SHA256=C73A94139FB64A70FAA6FA5C1EC97050A3008A63DD82CE56F70923F5488A5203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:32.683{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:32.682{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=F9B3F559AAE0DE73C57206821ABE57B1,SHA256=55CB20ACCDE7BF714CD1DF9FE9A4BB23C958CF43350BA903B40B94BB19359024,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:33.980{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD7628EACA22234AA2BE93A3140C76B5,SHA256=3928BB67F373A7DAAD1A2A206E28F14BE560889BC83DD084408DF92468B745B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:29.821{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59191-false10.0.1.12-8000- 23542300x8000000000000000975228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:33.319{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E450E1C9AEBF86094CE68195E51E0623,SHA256=2BF29F15E6392C2DA3ED1AED31682E2C74B0F9C5CBFF72F6F2154F4A90A04C74,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:31.506{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de54833-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:33.345{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A6219055C0EDB59FECE0F503967C88B,SHA256=DE779AC1CF4B39B78D9A94A33F2BC60F4692B4075939796D97EA8A76E3E9EF60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:33.345{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3DCD769F31BD544529B1FDE5431AFF1,SHA256=F5B5379F3503628AEFA19B32DF19E57004139A2F03F0A4F6647DD483095B88A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:31.492{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54288-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:34.397{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D012A400FF78B29546FB681721F10BC,SHA256=E64D95956D5B86D57E041D63AA5BA0BA866C292D3E84DAB71BFC61359CA14507,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:33.052{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de57472-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:34.445{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A6219055C0EDB59FECE0F503967C88B,SHA256=DE779AC1CF4B39B78D9A94A33F2BC60F4692B4075939796D97EA8A76E3E9EF60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:34.178{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA8F2EA263B1828B8D9EC2EAC36DD8C6,SHA256=38700D918AA48CEC7218F4F1AD09CCACEDB1229C351D0158EE2DB8CF86679ADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:35.788{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=765AF5D6ACD0601E6FFCE599BF712ABF,SHA256=F1D9ECEC6FCDADE43AF4B4FC522A3C93B569722B4A2B1DF12147192FDE9BD4BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:35.631{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F512739D2E7B3B28A1491B5A89323374,SHA256=6505392E174DC531F086E346E87B2A8B13D7B381FEA97797FA39061CD4F4E765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:35.597{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9FA939FAC9E09B54BAD0D23DE7BB13A,SHA256=2D84DA0FCB41BE9F68C13A6E2C1CF709FD264D71F4883E47243316BB9445AA14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:35.060{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843158182DCDCE96EA905A65CEC21F4F,SHA256=A1DA03C43838ADA0F62B3488FB408C4935CCC6F417CC44F6E67B564EA4F5802D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:36.866{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A7E29D1A8AF8D6CA5B1592880928B5F,SHA256=2D011001E1CB62541E58787AC8BA82BB220A06B99B6E27EA13543EC6C18AB832,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:33.985{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62582-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:36.259{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:36.112{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5A9E08D81392FC00D527B123DABBFA,SHA256=F075F7738139E863E9F6CCC5745E5B0959CCD7FF6ACBBFB64DCB809EBE4A0A0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:33.068{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62722-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001046745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:35.951{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65524-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001046744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:35.804{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65523-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:37.279{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F472EA91E5AD27EFB80B19D0F363195F,SHA256=F5C6B25105227FEEF05BE951EFF9681DEDC0003F79420B56F9AFA51C637632D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000975252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:37.959{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8709-6151-5679-00000000FD01}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:37.959{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:37.959{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:37.959{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:37.959{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:37.959{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:37.959{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:37.959{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:37.959{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:37.959{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:37.959{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8709-6151-5679-00000000FD01}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000975241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:37.959{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8709-6151-5679-00000000FD01}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000975240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:37.945{69CF5F33-8709-6151-5679-00000000FD01}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000975239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:34.380{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-54699-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000975238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:34.057{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-15076-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:37.209{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F84FA186A45729A01EDFB7AEC0822D9D,SHA256=BE31DF12E15A256F852F18DB991949CD2B91778DDCE26BA80D0FDD4D86C021B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:37.112{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:38.312{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D7140ECC1AB697268D232F2877E32BB,SHA256=6FE37408D933109DD0954D2DFB9192EADAD69C1B8688E15F3E63CB0806F7826A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:38.945{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42EE8D2BC5F820A3D912F45B0498BC4B,SHA256=427000CA1D3E77C1E1D8AE53E897F66FED8789E0EF8051D1A13000C0B232CA64,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:35.820{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59192-false10.0.1.12-8000- 23542300x8000000000000000975253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:38.084{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D584EB0FF2A1AC4A692003BBF88ECDB0,SHA256=8AFEA0ACF85DFCCD8D55B307620268D303B8A9D7FDFD8CFFFFE256701471755E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:39.325{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDC5AD4217203A1D7DB148117EE09781,SHA256=40B9B43AD5B1DF86491568AC128DADBD4E4403C0A5CF7715991C5C7739C3C0F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:36.809{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com47590-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:39.320{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D79AEC58C5042AF5AD4A5467D593C0,SHA256=5AAF18A895E6002E691D9C6654FF664C78584AF44157E5C9C30279E10F0F0651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:39.122{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E0C11DD4894A136054F98E608063349C,SHA256=6B8093FF6954A67F9FFE0446B68A2F0AC2A9A712AA4966EF478C26DDE81BC576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:39.228{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4292MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:40.395{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DBE29F2B28CF8711A1A56FEBE6C7C61,SHA256=9E0EA035EEC2E1A9D0F3D67223D27AABB8CDB294BBD578C99A32AAB18767D399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:40.327{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF64983D3D3329DE7128975A072EB86,SHA256=9F113882CE6C2E23313A435661EB253EC060B5A23655B0992CEC5D66C2580CBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:40.243{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4293MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:40.117{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A60A525639E5E0C31145EFFF355D8314,SHA256=47EFA8F6AF90CD0F88337ACA8B8F7AB744CC73F7DF09412B5937FDC158BFF296,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:39.369{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com50711-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:41.358{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F2D9FF83FC3DB4A634C870102214FA,SHA256=E4B1A3409EA9944D1BD838D631221013103222A617C3C1A10AF22114ECCEB3E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:38.813{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-42791-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:41.413{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59E1F10A12FB4C90C1A99C632EC8F40B,SHA256=D163FE98DD0FE15B2A97980999D0D5F298D4210C4BFB8A8007D79C8F3E7FBF76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:41.327{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2049AEB186BA04500F14A510323CE09C,SHA256=68E85A72FB87F144C1BA94C2F7536A4A7BCDE96DB811FD75E8A0294F3F6343C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:41.327{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DA5610317A7EDDC562E7BEE2403F076,SHA256=0FCB36A4C6F7FF2A7BA0C47069599D4040F3EDF2F94AB9960E6EEA76D78BB263,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:39.681{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de64470-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:42.427{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=008E9FBDB5239179C714C9DE020E5A45,SHA256=E9EDFAD8A7026D981170E9932B636435C93CA286C11FB839558F7065A4A307DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:42.378{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=217619CDA6477247FC286C753B9C1ACA,SHA256=0816B7D966A567938310F9678E53781939313EA248D8A6AF88BEE9D64DD8B96A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:42.132{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=123F3BDA023AB4F1EB20874FC9225538,SHA256=4DE2FFC13EDA5948968F944EFB544EF41D33E3D3D901307F1EE21C8A3FF17DF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:41.820{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65525-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001046757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:41.625{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61267-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:43.397{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8F87081118C49AF4E028E8CF049BD9,SHA256=8353C86AEE834B0AD71E0A39C6730DA3B1AC71794E0274CA9D98D501B9BA10C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:43.959{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF0F21549D20CB2C03B2D81DE1B2A1A7,SHA256=053086EA1205C752AEDDE25802E7CD8A31CCC473AD8F8CBEA6E5BD061BB1C8E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:43.427{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88EE8B1373E0F7C4661EC05ABBD2DF9D,SHA256=9B7185FD603F5E0CCA3B0486137D7B233BD36C6AC27C97CFAAED3239E0C48A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:43.228{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2049AEB186BA04500F14A510323CE09C,SHA256=68E85A72FB87F144C1BA94C2F7536A4A7BCDE96DB811FD75E8A0294F3F6343C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:44.759{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8710-6151-C279-00000000FC01}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:44.759{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:44.759{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:44.759{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:44.759{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:44.759{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8710-6151-C279-00000000FC01}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:44.759{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8710-6151-C279-00000000FC01}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:44.729{5EBD8912-8710-6151-C279-00000000FC01}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:44.397{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65A4134EB33C8FB90A85DB142260A12C,SHA256=0D51560CDFE78C5EEEC597B3D68BB5C163E507BEC0967DBFFFF9371EC198B50B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:41.773{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59193-false10.0.1.12-8000- 354300x8000000000000000975270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:41.240{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51548-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:44.443{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2C455CF7447F4A8ED3EA166EF33E7F3,SHA256=28A331E40759EBDD68AE6D676272A4A2436C4A3738C97144502D141053FB5530,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:45.459{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=256003E0642F278A07734E5C3677FEB5,SHA256=12BF091D6EA4B424F59E69FF1E7FA1186752E5FBC1D5B8877657FFEECC83D7B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:44.027{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52527-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:45.728{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F2F57B9A5F4E1DE097D0BE73FDCF093,SHA256=E857835B09D41C6E32402A3975B94DEDE9252C6CE6548B8C6911FD184EE21E49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:45.713{5EBD8912-8711-6151-C379-00000000FC01}54685640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:45.460{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8711-6151-C379-00000000FC01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:45.460{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8711-6151-C379-00000000FC01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:45.460{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:45.460{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:45.460{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:45.460{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:45.460{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8711-6151-C379-00000000FC01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:45.430{5EBD8912-8711-6151-C379-00000000FC01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:45.397{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC8CAE7403A1AEA773995D1DB0BE56C,SHA256=4A0403F649C922DD19D6C53017C1C6F326AA9DC4CE75F2F79524EA28297CFE82,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:43.815{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-12465-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:46.474{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8BC374E7DDE80BB47F30265B02EC212,SHA256=199BD20258ED16F9EA6D171EB3C25262F2277DFFB884D1725616393929E21D91,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:45.121{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63865-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:46.412{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=734E1C320BFE03127E20C52395347882,SHA256=FCEF18DEA2305B3AB2208C8EB836D9B6B3CB751335950AC1CA78A07B6BB121D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:46.159{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8712-6151-C479-00000000FC01}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:46.159{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:46.159{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:46.159{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:46.159{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:46.159{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8712-6151-C479-00000000FC01}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:46.159{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8712-6151-C479-00000000FC01}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:46.129{5EBD8912-8712-6151-C479-00000000FC01}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:47.459{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D7E3FE4D4F39252997F90603CABD92,SHA256=BD4860695062B599268613E592B420860ABD56E12C81F8B89CCA4C30B04D65EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:47.490{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D24F40E4A9A3F91B58FFCE58797BB25,SHA256=5C51DFF23F5D52D1C5D7FA30CB5F4DFECD749B4C3A637616A3E3AB1A060D0AEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:47.159{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C0B601D67C6EC3140DAC61780A67A9C,SHA256=C69DEFE4E00BA1A58628EA83420BBF222E20004FEFA277E543EB18A45235F5D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:48.646{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2901F26B1B99BA77FD60FF38B2C9605,SHA256=72A36901D26AC105BEF09436EF66EB589ABFC950D8A2AFC3FAB1F8F021F60CD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:48.505{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB67761E316F9BFB418AF9866F58D88C,SHA256=FFA9401B814D2F45B81D1B599301202E6744C8D756EBA5527C6E1937640E4E2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.900{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.463{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C862000C13BA7F4D01A39D2FF42B51,SHA256=437216291A8B1621FE1906AB1214CA3E5F6381ADD85C2482471F80667FA4CEB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:49.506{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCD395134A4A398F225CC466352BA876,SHA256=6E647A5637E0C46B80B9AFEE83A825E5AB37A910270F05A87BDFA7D63B72B111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:49.780{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F647D07522CE366A5C04DA852CCD72A,SHA256=21A4330E44D0637B731F642DAF5C312392B29493934725C05D025E690FAF1C0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:47.803{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65526-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001046829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:48.936{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de59876-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:50.746{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=854C1305D917C515769A7EACF5FE111C,SHA256=768D54EA2647EE3C8CE85AD09BFB2787A84A1E7C877FA7FC21060B4604D167FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:50.834{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D96E598048893A8765002048CB7E2EF,SHA256=12D33C5E2B9AD028CCAEC27DFE75E6304D0814B98317A0C2603660F8DE142B89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:50.521{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465D36F1CFADA4CBE87560A871AF2920,SHA256=EB15026C85EB67128AE4BEB782E8E26434D49C72646CD6D036095C96C5707F0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:51.780{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE26D65AF0CF318C27D3D10761E39468,SHA256=563C79283921760DEC92BFB116D82DB6B605502CAAB8E3BC6D530E83A05C5EA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:51.537{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37693E39E1E9183FE7CD5DD217FBA4DE,SHA256=6141D052F0C63C52A86A7EA1232A7EEB19CA9594E0D9BDC456A998AFA4EE312C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:51.646{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D21500BF3602EEB07518AEDD2F0689D,SHA256=6C162985DAFEDF2D963A3B4943F762D281CF29FD19036E942C0E7035653615E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:48.561{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-40217-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000975282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:48.081{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50886-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000975281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:47.726{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59194-false10.0.1.12-8000- 23542300x80000000000000001046832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:52.798{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1660B653C20EFF70CA1E4F453475B64F,SHA256=2D5572254DE99609B8D0801F5DA44A610CFDE4ED833E027CBD2202EE7505283B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:52.552{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B2225E1883184F8F8E3A4A94D78D449,SHA256=08FAD2EE7EB997834CBC9B1D4097E3C374FAC8D185ED2972DB958E32CBD84FDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:53.568{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F30A017B5DF003DF773F333AA056DCF,SHA256=43F68BDA5EB73106042B8C0898E6EC14921B1A6A5B933291E5B4046C0F594BB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:53.812{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=399314D991F05FB1B827A27F74A0BE4F,SHA256=BD71B561C0DA08668DD008C6A5ACBD93D6ACB5EEF98250FB73A99FC6072D13C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:53.443{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3B1674EE0984874DD4E8822EA6A79CD,SHA256=B004E6A429CB6FA3899F677ADAA97CAC2270659FB803A88D2B7372CB07F1ED21,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:52.805{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65527-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:54.846{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=819BA3659BFBD57C420FE422E3180514,SHA256=D71D5F0E5B7CFDE00E241414B868EB5696BCCBFE9F325BA7960EBA5F19158163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:54.568{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C094EC711C8E88EF3D8782FD5E8CE43F,SHA256=0734C6AFB33B200C4AAB3143EC43CCE91644D54FADD211D27114B4DB1326CEBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:54.762{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-871A-6151-C679-00000000FC01}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:54.762{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-871A-6151-C679-00000000FC01}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:54.762{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-871A-6151-C679-00000000FC01}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:54.762{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:54.762{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:54.762{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:54.762{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:54.748{5EBD8912-871A-6151-C679-00000000FC01}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001046842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:54.283{5EBD8912-871A-6151-C579-00000000FC01}4326456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:54.080{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-871A-6151-C579-00000000FC01}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:54.078{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:54.078{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:54.078{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:54.078{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:54.077{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-871A-6151-C579-00000000FC01}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:54.077{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-871A-6151-C579-00000000FC01}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:54.060{5EBD8912-871A-6151-C579-00000000FC01}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000975292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:55.724{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE7D49AD7D7997EE52CB37545D4BF1EC,SHA256=F7993E581B3459AEB69BAC9D5FAF77FBF1DC21AD475164D04A93081B557AE4F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:55.584{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F724755BB76ACB11BB707355A6B2528E,SHA256=02CCC3A36C68594380B989C353399086053D3506C03A373BF0E25F23B8D3362B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:55.615{5EBD8912-871B-6151-C779-00000000FC01}44124492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:55.446{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-871B-6151-C779-00000000FC01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:55.446{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:55.446{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:55.446{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:55.446{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:55.446{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-871B-6151-C779-00000000FC01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:55.446{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-871B-6151-C779-00000000FC01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:55.431{5EBD8912-871B-6151-C779-00000000FC01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:55.081{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C01EE2B0801A7F4B8AB4CF42A0D14F40,SHA256=BAB4B4899E85A1C027F446193325A68F80CF655B5E7BD6A206D9E45CED9D7CEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:55.015{5EBD8912-871A-6151-C679-00000000FC01}67445324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000975290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:52.505{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-9218-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000975289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:51.456{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54780-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000975294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:52.866{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59195-false10.0.1.12-8000- 23542300x8000000000000000975293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:56.599{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC57D35A1ABEB2D9D92B48BD726C08C,SHA256=5147B15E7CA564C0FA214F989A71F088EBC0124C675CD61F6EFD5CC8C6196BD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:56.414{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FD3F005AA47BD69DAB8A6B74864C8C3,SHA256=5E5716EDF36ECFFA8EFB1D2CFB25CB125F910693D3DA00D63645F1D90C08437A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:56.145{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-871C-6151-C879-00000000FC01}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:56.145{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:56.145{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:56.145{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:56.145{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:56.145{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-871C-6151-C879-00000000FC01}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:56.145{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-871C-6151-C879-00000000FC01}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:56.131{5EBD8912-871C-6151-C879-00000000FC01}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:55.999{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75A5AFAAA5560F78BF6E8639D3705050,SHA256=5517CBC07C6CD63140107C5249641DC9D15DF36B9E835D83C942B44617A41578,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:53.688{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59203-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:57.615{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23769F6F2EF5B8B074AABA74C835C409,SHA256=317E3FF7AA64E11E93BDFD8D6F97C6200DC0F8855091642D2DE3FFED11DCC458,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:54.494{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59049-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:57.014{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A657578EDF16A3E235C518575F6CDD40,SHA256=A74FC2D1C9EC46483167EA85D0EB202F193E1C2D08486C4F4BD8067B7A4F4EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:57.584{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=388D18D000F982F8D7B6C6E964C544B0,SHA256=BBB603D8C85FBB4EA06695F373477755018771FF5E63F81A5539B5F302FD8DB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:55.797{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-22504-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:58.630{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=037A8C9F18383E95FD1A960124C0C91D,SHA256=D5F5E895E9C9BA6E7A84AE6E6D60F4442A45881F2D62C4222B865C763C528D16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:58.028{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15BA859A26441A7878390B92FACB63D2,SHA256=EB25E3484CBCA129CA5B782CB431BC6C793A5CD5894475427D1167CF26A4E6F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:59.646{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2622808FC5986626EC85097C945FBC68,SHA256=87605DEE34DA618F24CF3A782093543DF52C8DC7D67CF0D18A9F9C45E8222D9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:59.030{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266C69FA27E3ABCBA5CA187CC035F310,SHA256=B8F10AD44CC586810411EBDC55D8C07EC14CE2651B74E039229AC157ECA2F17F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:00.693{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=648B2397CF76525445E98F6B372F2820,SHA256=3444FF1696D7CCC77F9FD310EDA2A6E1AD31780334C0BD9A42E555D96FCD467E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:00.662{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=897FBBFD8C7FBBD4AEC2D3D5CD0BB54F,SHA256=3BF1164F9D049BBC000B8A295A17FFE0598D052EC307B808F8051DE07B3190F8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001046881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:56:00.261{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x80000000000000001046880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:56:00.246{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Config SourceDWORD (0x00000001) 13241300x80000000000000001046879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:56:00.246{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_C073BBA9-345E-4F58-AADF-98D983B75502.XML 23542300x80000000000000001046878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:00.045{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D58EE81DFBCAAEC07189947BA6603010,SHA256=CEE1C41858CDD32F171C9C3D46EDB3DD94BE4F7A7A6DCD624E0A5A31368563FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:01.677{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7987B6572FBA3D2E1D553250382A4B5,SHA256=6208A999DE119DC330D5ABCFB78A80E3A0D2D8C50AC04F6AA7667C106130EC21,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:58.821{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65528-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:01.347{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=793DA534CE5131F00027C9B03C70D13B,SHA256=0669396EA2F789E11DE62E6760548EC26F4EA2B3BD38A64BD3BE54FECECB9933,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:01.061{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F4DEB702D5109D6E7F452035C71BE1A,SHA256=738C534CB94720964F4596923B916AF4808276DE8A491B24752C6FF63985D9FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:55:58.851{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59196-false10.0.1.12-8000- 23542300x8000000000000000975304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:02.681{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53F827EAC3DA42CEEF0873375D3830BF,SHA256=C92376CE14F90139B2BB3E86A71B4DF268671B0D6B61C34C2A616723640FF474,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:59.968{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65531-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001046890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:59.968{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65531-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001046889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:59.960{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65530-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001046888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:59.957{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65530-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001046887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:59.939{5EBD8912-7F30-614D-0D00-00000000FC01}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65529-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001046886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:55:59.939{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65529-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 23542300x80000000000000001046885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:02.080{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A27F0750FCB3938275D89EC9ECB7262,SHA256=2064E7940DD108403E2C9421D246993D9F0E0BCE327B490DBBA9B2E01CBF16BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:00.592{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-51261-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:03.681{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90EBC7058D1EF09B014B5A76D0F19C0E,SHA256=61E8F034A5B73E167BAB71FEDD35C62BB11E03A28F17732C578D12B697651A21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:03.814{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=48302B145C3B3FB44D96892ACA410B1B,SHA256=3ECFCBA71CF9B76523BD347D67E2F41F5B86E35473E2F198ADFF993D3C6486BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:03.814{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=ED4E56168506427CAD547D46CB402880,SHA256=8C7E801F88614C030AB1590B7BFDFB670827F3E618E7D85AC3C1D343D44DAC13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:03.814{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=9D4956D13DCB1A89B1644BA96DE7EFE7,SHA256=0CA04241E3B7A9AA9967513EDCA0CC5CCDC24CDF35993E50D6699AA057FF79ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:03.814{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=E9F49D90A9A1094A8A220CEBA44432E1,SHA256=D9F4D2DF05CCA990C457DBB2A3FAE0235E31D1A026BB02F0777C06D9DBDDB2F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:03.814{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=A2EBA85F997AFEA3E121142E28DA8036,SHA256=B42E9457E96BE33C8E8934BBC18B3A9FB8B18871104484D00665B841B42E0D9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:03.814{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=4C8CC65C7BEEED04AA0ED7B0B150EA5D,SHA256=74FE3A36ECB15FBE45AE947A6D0202CF0BE15744D29702BA702A8033EEE36C9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:01.604{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63512-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001046894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:00.899{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63074-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:03.099{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=626B26C37DB0FB9156A7F2431740F776,SHA256=96A46DDF133E85208D8FDA245145A4A78B515F247B7898B2B36C250D91BE10FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:02.999{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D225F4EE9F22E4EFD0B647DE9746698D,SHA256=1D07785A91499FC4CD9AFF1742FD38FBBA2042BFE41DF0A71261BEAD500C3E11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:04.681{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E005287A306B6EDAF0871931E5A5E3BE,SHA256=E48B61FAB39581DFFB6956A61621BEDE501DEF142B4DB1534D039EAAB74BE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:04.481{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8E3524068FC2995C1BDBABDDB6D8F0C,SHA256=62D03683C5A1E8327F7160A7EF815FB454C0DFF0F795036AA7A70690918DCACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:04.129{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C69B4FB0B68F5D9BD6A3B787B68596CE,SHA256=65C312277A46E13ADCDDDAFDE1D9BAAE6FF960501EE2B61A8D4A512A8503E284,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:02.188{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64440-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:05.681{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2B79592F8792D6DF02744BF183E280A,SHA256=8EDA7E3E13C93CD8C74845B95B9B539C89E2A52DBBBF415673A157D060BF6D19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:05.713{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5F34FF230D5FEA5CE0D7D7639E4962A,SHA256=4E24FEB6C4DC3A6777E12334252589F0DE34DCFCB530875411CEA3C653AFA6B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:05.144{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB25F100CD7C342FB3753D927E152FCC,SHA256=BCB388964399EC07387C60FB85FAA9F1C381A0DEFBABDBC395491963BD9D7DA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:05.306{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D421464359D3C728CE9A15187C629733,SHA256=5F64797B182B794869AF183C26D8696D3A65085F1DD4BB3356FA08A7B21C27BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:06.697{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BCAA7866D136BB2247EAFE675DE575F,SHA256=E3ACF77FD9BBE75F85D3E1997CD39D545EACD5650598438033EAB47844A036A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:04.736{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65532-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001046907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:04.077{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63465-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:06.145{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=386C4A1C0246C564E6FB0B9D7CB2DCAF,SHA256=90C924EECF49C75483B5BA4876A883D08C39A700CFADF2B1AC88EB6634A1F8BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:07.712{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6D3CCF34073E30CF906ED0BD42968EC,SHA256=089C75F2E6AEC8233F22723FFE224A24B09A33FC34A5437D5621056D4A95BF2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:07.732{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4292MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:07.161{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A33FD03301E02BB32281B1DD5708761F,SHA256=756C3ED55919D5F6557719FE33AEE0EB13431FD81F6A0332BDF33157497011F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:08.712{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=849BBB5AFFE64AD8841915C3F79C1AEA,SHA256=EDC951B17F491EB94AFC41B37E46E12E928A030C78DD6C09A9D603D5908293C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:08.745{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4293MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:08.178{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA599AC2414DA226A60A4252E96A800E,SHA256=90D015AEE0F95B9D3C4A716CDC833CA5B787543F9C8B643BA0AAAF9A3E2BAE78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:09.728{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FF064E6C8DE7E0F78021CBAF46ED6C9,SHA256=5421B4F426A799F65D9BCE72D4F1EB480357A00071F52578A9C486C1FAC20E9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:09.197{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23EBACA63CD148FC34F3E52CE0F33BF1,SHA256=AD26FE1D00C2BB5765A21B299B3446AA5607495D8CFF76501D0B898B3B6465C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:05.347{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-20152-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000975315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:04.807{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59197-false10.0.1.12-8000- 23542300x8000000000000000975319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:10.743{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B940B73BC09D52FB19C9B93FE1A66C24,SHA256=DCCFDC6FD6169DAB5A29B0B4A87E60CE38810E15041A230678CF4F64D4EACACE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:10.212{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B08B91B765ACA65F2EE8BDC636FF664A,SHA256=D1BA1E555841E0F7798D3CC6E33D50A4CDC55E89891C3E7FF41CF87AD5E93BC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:10.243{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC50FD8B57F4C96885FFBE10D974F4D5,SHA256=4EBBB0DD6637A9F79A5A8E45A218027240DE26AB8E1E3814E9910A51E7CE28F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:11.759{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94B6BFADA7BAFB2E03CF284166E6D041,SHA256=D2BE1D91D9C7DDEA25D2FCF902F0C816F25C400B734E509FDCE555791A84BE3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:11.227{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CB67F416BE25303A96DA9A5BDE7CC65,SHA256=EF3E43277C13F6798C214B5A6E96F883CF39AB75108147049D01431FDDD555AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:11.478{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2C71641D55D4C9871ADA630E5C4AE21,SHA256=2EA37337E9D282E04203E010A1FA27C262F27BFFBB1CCB1A161120E97372BE70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:12.759{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4713F8BBE8C2EC631AF702063F7086C,SHA256=AF57FA9135C36D6EE5A26235FC486FAEBAD8AE1896D3B765C3546F7F6B704FFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:10.765{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65533-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001046919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:10.723{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52802-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:12.341{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D44D9F1E359A3613B55D2E5EBEA01B41,SHA256=4340AC06F9931374552FEA361E6C8F132507F7D29397757616B7BC127218DA61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:12.341{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A1AC65969555B6A8E876CD116FC3FF6,SHA256=10F2874BF5F7DE61F7DAD9715937B7217C7973D9198D826796E2E2B424A4A536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:12.257{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53BAF1268AD6E6AE8C2FAE7CC1FFEFD3,SHA256=ADE2B779916C10598C423C6CF237DEEDD667CEE4C78941E81092AEE374DCDE10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:08.621{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52062-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:13.775{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23CB05CD6D9B42D4999AD9F8ECE9BD85,SHA256=BE9BC4327B31EE562B7E865A66BD196F1CF1E8CAD3A581CC4E3005182B8B4E9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:13.958{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D44D9F1E359A3613B55D2E5EBEA01B41,SHA256=4340AC06F9931374552FEA361E6C8F132507F7D29397757616B7BC127218DA61,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:12.009{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-62270-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:13.258{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C4938C9F7C45D11269C3B284F5FAC0A,SHA256=820CB7C7FDECC297765D319763ADDA81854B58FAFA6BD3430F179ABF59371193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:13.337{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:10.474{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54207-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000975325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:10.135{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-47561-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:13.165{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98126345D077286F3D31C12C25299229,SHA256=9BFC3AD9450DC163481C637E576703B6B08AA1E521440399DD70FBAF61C061A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:14.994{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C045169AE420D421F6C6559BA899E77,SHA256=022386A25DB9D240FA3E4D53FF6A4BF354BA4CA3423AE0C07C7A89A08A0EABF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:14.790{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7301CA36316D7E119565A8DC9FE1B0D2,SHA256=796CAD7DDE4460D5B9322E351A699570E057B06DE943E6BD9BC2A437195741F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:14.410{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CFD49787AE7B497535606D70C8C60DD,SHA256=E3AE5098900F311EBA76FE3907DD0B46D2BA35DFB708A1C981B0F44C56DC7D78,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:10.745{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59198-false10.0.1.12-8000- 23542300x8000000000000000975334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:15.790{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D9CF0E3321D881C9A14E50279C2AF6B,SHA256=E4D80ACEB302FF03C02DAD6F0F5B28378969DA7656FE0C74ED1CD482A8FB04EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:15.425{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E105187ECBEE435240026DF380F2A6D,SHA256=55EE2120BB30C4909C89F1572A18FCE7C26DA9245557CEB78039F4E4237A91AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:12.429{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54419-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000975332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:11.964{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59199-false10.0.1.12-8089- 23542300x8000000000000000975335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:16.808{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E83270310E3C5436C267ADF3B70DCCE,SHA256=1088C5D27CFB893F1C20A34E9D40F95680DF078AD289724CC9A7259A8ECF9A8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:16.556{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001046929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:16.556{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:16.541{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFfbff769.TMPMD5=DE3A0FA109221B18DF49AC1FFC6FE4B1,SHA256=ED397D4D656C29DB004817AED882B128D4456823F423CD84E3D3C39C431C5AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:16.509{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\aborted-session-pingMD5=2EA2CFBA56C45A2D6535C42DFE93EEF6,SHA256=D4B69224E9E3815119C40E56F58222786E7FEF9848161710A6569B033B07F929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:16.426{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43CC61434E1E60E386EE89A70E494A6E,SHA256=D66CD1716C07B96836F13E5F4F4CD5C3F752B535670EBE4D70339FC398F11C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:17.822{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE5D02E1295BBAC2B92CA645067AE78,SHA256=BCAC0F0F0A4527BEC1EF11507D799E1D57FE79C1F398C21A606F22EBD4EF3A47,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:15.885{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65534-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001046934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:15.885{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65534-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 10341000x80000000000000001046933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:17.525{5EBD8912-7F30-614D-0D00-00000000FC01}8884380C:\Windows\system32\svchost.exe{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:17.456{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEBB35715A7CD0407D43090106543802,SHA256=8DF24796A00A4390A429160F6A753ED41BBD53FDDB226400EFC3318E9044DE84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:17.225{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72EED4AE12133357CE4367688D98FCE4,SHA256=8C3C44671CFE5D886E44B343E1E27D88C940AEEA73C8E8F985262C1999C0D6C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:18.837{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCB7DD5C31C89C212E3D20B6730E47A1,SHA256=64657D741EF3F8D2155B64486F15781F33E9FD63AEF22DB17D21BE8AACD9239B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:15.916{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49152-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:18.475{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB7C310EA857D1A5E9728889C642C25F,SHA256=C1EF3A3DCF5C3BAB430B5A26F316ED2779AD0CBF318859712C7EAFA04862ACF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:14.899{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-16666-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:19.853{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A4BFB176CB68C88BCBAD0F0F6D106B,SHA256=A33253BD991A94F66A978660FDFC53BF066C187939CD50CA7E675616FD334E42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:19.492{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FDFBCB6619C25B65AE295AA6132F36E,SHA256=8A90A55190695CC7FCFDDD55E1C0CBB2DAA11C5D4236C00BD046B032721CCE15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:19.837{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AC7CA6ACE80919D1939FD9B8D65B021,SHA256=965563475EBBD904380EB0BB7F9050AF564D529EF6E44ED8074A29DE60328A8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:16.698{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59200-false10.0.1.12-8000- 23542300x8000000000000000975342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:20.853{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333CA5A1EFEB6494DE573BA0340E2E0E,SHA256=7CC7AF7C10FDC943B19DBE4295D18E9E26F5EB25412297980AAD73FF152932FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:20.707{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EEDB1D9530CD36D63319EA376D44659,SHA256=F9DEF0AE55D66D831BC448DBAC677CF19BD468BA55B3C7750823991DE62BEE9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:20.509{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE72167DBA6203C30968FEDA68D787C7,SHA256=5FEB410BCEE32CB398C4740C39D21F7D8A000972EA6181C1F377DDE7799C35FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:21.868{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E67110B856C10E84FAF6894B671BD96A,SHA256=C352C0E8AAC96A4EA73E12FFDE273F9F378DB18E054346CF593C2F085B35806D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:21.538{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C111F223189851C2A365F0658BFE081,SHA256=0C4F76AD6647D0545FCD3D914BB7112F5702838B20847A60756D3FA41231CB03,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:18.250{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58127-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:21.259{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29485993FA3D7B9345DE26465CED657B,SHA256=8180B88E89F0713B831C6FA3930C78FA3D5D023DA7D9F54D548E0E142BCE6B16,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:19.059{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57898-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000975347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:22.870{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC27A4C5CFC3526DFCB82E95ACAAB595,SHA256=85BE52987237D4F3DC510C71B8C1D541711247F8E47E4350FE92D9672C54AC24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:22.575{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC828C2FC81791B5433CD09E0D09D88D,SHA256=C90DD6143BCB8A0695A0F5C675EA63C44215D2B1A9E6650433363CA17F8597CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:18.910{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-44734-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001046943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:22.372{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A62BB62DF7E857DD641250182A3D6FD7,SHA256=117CCE7015BEB57395B6242844061D9699942208C0BDAFE48DCD95757DD66F62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:23.870{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE9527E468FE44E566F8473899089C50,SHA256=85B90BE684305CECD30F7454D4EA328A5569442E42119FBEC9B8D66FC476C6EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:23.591{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E32803A039390EFD32D1895A5FD4320,SHA256=2749DCD080E82CDA4A10E9197C5E6210152FE6E16B6DD3EA69EFD871CE80D4F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:20.751{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61307-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000975353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:24.886{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F25C5126689BEC629945B4A608136DE,SHA256=E71722119EFBD8CE0C8C95C9233123DB836A9490974EC43A92161C66014AED0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:24.606{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D57655028D25652D19D2355191C4023F,SHA256=6A1702851137FAC0D0B1E1208BE442E4C02178B8831434157EA545F3697045F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:21.872{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59201-false10.0.1.12-8000- 354300x8000000000000000975351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:21.647{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de64325-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000975350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:21.234{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-58617-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:24.433{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35A05BD2792F12ED0D97692149729BAA,SHA256=099BC48FA0609F8AC1269B29AD93DEAD035CA7255FCB2DB5875FE2DDAB4CBDF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:21.829{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49153-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000975354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:25.901{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EAFA8A3B75C231E1DADA2BCED040E99,SHA256=22FBC6AAF126B47E8A44C613B8A785B7C1EDF245227D4096EBBD61EA211DD4AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:25.621{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A45686CB3FD708D841E507954F31DCE,SHA256=5A982F9E60B84FE0859D0D8E9F02A429F2BBDABA4B12717F3CB0CE04D42DBEE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000975385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.932{69CF5F33-873A-6151-5879-00000000FD01}33323628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000975384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.932{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=092CDC60D54DD0852ACDDAA7AFCF85B7,SHA256=A509384605E74BFF6779AE73446E5C6D497261FD0A7F8F95A3D6FC181EBD6C6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:26.624{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8615145F9D4B1F3C397976BD7F0B9FC,SHA256=B23EC0D45DED771500D6CB080318141F6BBFD2850CE450F0E5E3302DE425CE5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000975383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.776{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-873A-6151-5879-00000000FD01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.776{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.776{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.776{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.776{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.776{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.776{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.776{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.776{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.776{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.776{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-873A-6151-5879-00000000FD01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000975372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.776{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-873A-6151-5879-00000000FD01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000975371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.761{69CF5F33-873A-6151-5879-00000000FD01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000975370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:23.478{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-12796-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.667{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5A283F8857970AE25A18B76FC9E77C4,SHA256=167CC4180A75F84B9D13A3677B909019E57E5C4F81A2550C27D911C01E1524A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000975368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.354{69CF5F33-873A-6151-5779-00000000FD01}38962504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.089{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-873A-6151-5779-00000000FD01}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.089{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.089{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.089{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.089{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.089{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.089{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.089{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.089{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.089{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.089{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-873A-6151-5779-00000000FD01}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000975356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.089{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-873A-6151-5779-00000000FD01}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000975355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.074{69CF5F33-873A-6151-5779-00000000FD01}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:26.289{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40EE3E18BED680AE3CED5CD076790290,SHA256=0031209D6D7ED4C7749EFCFDA6E4E39114C5020FE889553F5F9E45CBB81DBE36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:27.932{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51D324B1C756D1983C03062447C1BF5C,SHA256=0179C36294CEC4A7B4EE26B912F1454C8067322857EDE0F69B823575D2B68D93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:27.639{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F535AD7117B2200B7DDA7ED3B7F200F,SHA256=52728BE1C6A5CB60F632B34AFB39FDD478E320976D3BAC44E689BEE0AA534D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:27.776{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=030321C815824BD88FEC0E1D0E7CCDDB,SHA256=46C97EAB4FCC6FC96A836754017F57F71578CED6D1E5F916D052531E3DD8C37E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000975398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:27.464{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-873B-6151-5979-00000000FD01}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:27.464{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:27.464{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:27.464{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:27.464{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:27.464{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:27.464{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:27.464{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:27.464{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:27.464{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:27.464{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-873B-6151-5979-00000000FD01}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000975387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:27.464{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-873B-6151-5979-00000000FD01}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000975386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:27.449{69CF5F33-873B-6151-5979-00000000FD01}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001046952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:24.651{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64118-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:28.639{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0DAF694A764391F1D6DED69B88C1325,SHA256=963B4E0557DFBF7DEBF244906B1832A83CBC5E60995FAA49108A8D5F5A51E061,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:28.854{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97460E70BEBAC15DC939B380526AC1F8,SHA256=B48C60271CA8D8FF9E852D267009553729B182FCDF1B5F38FFD35BDCA1AAFE99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000975427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:28.776{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-873C-6151-5B79-00000000FD01}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:28.776{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:28.776{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:28.776{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:28.776{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:28.776{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:28.776{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:28.761{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:28.761{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:28.761{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:28.761{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-873C-6151-5B79-00000000FD01}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000975416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:28.761{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-873C-6151-5B79-00000000FD01}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000975415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:28.761{69CF5F33-873C-6151-5B79-00000000FD01}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000975414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:28.339{69CF5F33-873C-6151-5A79-00000000FD01}18043552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:28.089{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-873C-6151-5A79-00000000FD01}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:28.089{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:28.089{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:28.089{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:28.089{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:28.089{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:28.089{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:28.089{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:28.089{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:28.089{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-873C-6151-5A79-00000000FD01}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000975403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:28.089{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:28.089{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-873C-6151-5A79-00000000FD01}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000975401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:28.075{69CF5F33-873C-6151-5A79-00000000FD01}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:29.642{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D01C279BE35E359EB01DAAE2A6D5A2B,SHA256=8D3BF21ED9EA98EF0C402B78E453CD2AC49ABF66215DD8A3E6106108302212F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000975443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:29.620{69CF5F33-873D-6151-5C79-00000000FD01}33802952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:29.464{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-873D-6151-5C79-00000000FD01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:29.464{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:29.464{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:29.464{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:29.464{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:29.464{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:29.464{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:29.464{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:29.464{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:29.464{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:29.464{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-873D-6151-5C79-00000000FD01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000975431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:29.464{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-873D-6151-5C79-00000000FD01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000975430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:29.449{69CF5F33-873D-6151-5C79-00000000FD01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000975429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:29.261{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF81AD50AD8C7921AA10D350C1412D59,SHA256=70952E54393E6B8C41EDCBDD2B46B94A52C32C089B6B44287650EE174B19129D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:30.676{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B7FBB9FC132038F5F542071F9CDD16E,SHA256=6C65003A6CDAFA16F624F0617DC33FE9A201AA51FF9447E0042626BD5495651A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:28.255{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse110.10.193.201-61153-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000975449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:27.825{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59202-false10.0.1.12-8000- 354300x8000000000000000975448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:27.130{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50877-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:30.464{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9003991204B5AD36A464521101C54A3A,SHA256=1BBE58AC8AE6F245AF04ECBA1D747C23F2D354242B7EC527ACA56A8B20EBF709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:30.385{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5417B6ED3B039B628A35DE5C2663954,SHA256=448CDE62F7E4206B0C2BDEECF60AECD0C7554A5C01F3F12A210416CE73A24AAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:27.784{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49154-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000975445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:26.321{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63154-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000975444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:25.709{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-26020-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:31.620{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4996CB604D7932ED4EDA603B293D23D,SHA256=02065D6055903261C41EAF2A291E646E7560BA578030B8A81311F14AAD1E9C46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:31.695{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7CE78EDB3138D352982A95F097AE1B6,SHA256=EC342B2CD55B0B062FDF8140B60CA2044E033953890DDDBC5A1F27C9EB10115F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:32.854{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35DE7336162A8E598B449F8A99BDDD84,SHA256=DE5DA023E4E899777C75197508821B49899512B6D7858171E5D1D022C706315A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:32.695{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A09F013730FC5FA57E67155321659D1,SHA256=EE9BD81E5DE47A599648696FF15C417C02D93740210E3BB3A428BE166A4D5D1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:32.432{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=82DA366ED69133D03A0BF4F7379457D9,SHA256=E412013852240671D191C1C1A84B36889876F1F07BBE2BBF5C93854FD1051D6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:28.752{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-38731-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:33.995{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A7BD21BE44402CA80C64AA820AC774B,SHA256=1C866951FF9C8B1A156B24470641C914721281E927A0CD12694B730B77FE72AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:33.696{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=819CC9D572ECDFDDC6539B1323FFC104,SHA256=5442A0063E5E5508FAF8D7A19E6FA434C913EB0959A02FC1FD6C47D8A2475523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:33.448{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA354DCAB013A49A221DD9353B339620,SHA256=FCA10DEB5DA28161592E24D7769BD9238D93D95101EFA73D30427AE9393B58D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:34.710{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB25627026FAAF1DA6F4CD8C83F976A2,SHA256=E29FC647E16F0B523E1F5BB21E8A43560C9F746D54B394DC0C9985F69E9CBD6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:34.792{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1ADDA8924CBD05A5F6008E48968BDD26,SHA256=623CC57C303C68C3149A2E8B27BF1550116D4171164E6EB66DEE566D958455AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:30.959{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-55122-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001046963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:35.725{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDB110C22571D8527A0D924D1E7460FF,SHA256=D35AF92DD13733CD88474F9C80EFA44E98AF7BD1FD807EA94818D32967D41CB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:35.010{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1F470C9EB6A28908A2E15337E798737,SHA256=8306E155BC85EE3531D3920B3B21B6734A3C526C105808152AEDE96F8321C540,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:32.919{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49155-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:36.725{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CDDFFD7B902C55B8D562AB08B651F3E,SHA256=738F261F853E356816BC88DBF6FF2E69D2904D970E48A5C7B6686AB8AFA332F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:32.856{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59203-false10.0.1.12-8000- 23542300x8000000000000000975460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:36.010{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=601F867D4FE58871D150E8DA8139BD25,SHA256=B6AE6DF644BB384A172F62D251EEAB45BB3B4F226FCAD20F0C79A2572B6B627D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:36.293{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:37.756{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=933511365B1CF1CC75137AA8E8193649,SHA256=3F5087B0701C92D5BD3F16E61FD7974DE4C89A56541FFE5115793C08725A6383,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000975477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:37.964{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8745-6151-5D79-00000000FD01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:37.964{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:37.964{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:37.964{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:37.964{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:37.964{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:37.964{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:37.964{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:37.964{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:37.964{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:37.964{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8745-6151-5D79-00000000FD01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000975466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:37.964{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8745-6151-5D79-00000000FD01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000975465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:37.949{69CF5F33-8745-6151-5D79-00000000FD01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000975464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:33.843{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-14375-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:37.073{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B43BF6A7F26C0389BA741E9070A9271,SHA256=E76754F94FBFC86446A2BBDC5A4E3DDB91E2FEE4F6BA732A58D69C48C8A102A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:37.026{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD8F4A4D6E8D38174100857328618D48,SHA256=7E0590FD1AE1CBCF28CC2363098BB322043A73E65890A84A8FCB35CFA01A9F63,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:35.964{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49156-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x80000000000000001046966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:37.009{5EBD8912-7F30-614D-0D00-00000000FC01}8884380C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:38.773{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7224F2408E317E34C3870899DFFF530,SHA256=C156FE6CB00E9461E026CE5A894D6632B3FB91C73ED18C1455A2575D6765F45A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:38.995{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F83328E5A71D2DFCD2FDE0A4B8AE0936,SHA256=C2A5D509B2D148FA828D35FCF4E14AF7F5A501CEF25E93E8F67ED07190B6C787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:38.026{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C75D326897C762245498BF5A920143C8,SHA256=8CC182142349E58EA6151232ABAB8C517797BB62EE22468E8C3AD9A0EF37B11A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:39.807{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42E712C26F69AE122165B1D38C40262A,SHA256=4124E161F67FF9ED50C16F856229C69D627DDFDB0CF8EAE6D8D5A5875EF3C50A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:36.074{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-27269-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:39.042{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0191AC1102305AFCC141DB4FD7C7FE95,SHA256=2BB40E542BA5BC0E058F880718E20FE1FC471CC5F8DE865337B68D89AF98B0C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:39.123{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FA93D02F41735BC1C1BC81CF1BE889D1,SHA256=51466F5CA975D2A15AD0A88BE75BA4D5F2EE449A18DAB7C3D76E876A82128D3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:40.822{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3701A0B0446B12359C32F874C94170AE,SHA256=6241E6F60CE297D8C85F6F1E18F5323133D18201AF03265326B2B7722C5162E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:40.766{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4293MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:40.716{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C852AA7969125F8580486D6C1C243459,SHA256=DCBA87A1ACFD5E2441085FE2E7FB5E86FD283EFE8B68D11B8060559896265652,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:40.042{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C72E9239D3C884C51B616E948E36EE33,SHA256=145453F6BF4DA41C8C1A18FC1A898F0AE5AB35200B09B32C161FB729D017D700,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:40.722{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001046973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:38.799{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49157-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001046972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:40.070{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:41.823{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E64E69B69570CE3784ADAC9E2D0B001,SHA256=D208D329FF769786353F196935F99CF331FF780175C9ED5CA3F291C369F8C238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:41.764{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4294MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:38.887{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59204-false10.0.1.12-8000- 354300x8000000000000000975487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:38.347{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-40660-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000975486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:37.960{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-57394-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:41.045{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E3F0EBC7F4C367D634310050FF220AA,SHA256=DE6A44F8755AB8C5E5494A362690F0FA8675C534BF8618E4A141E37C36C850D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:38.861{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54105-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001046977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:41.076{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9DF1C59C3083958814AE473ED21B83B,SHA256=10D395DD486C1686F6B2CB10EB2DE5E295D1CE86DA3CD8ADC0AC35C1E346EAA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:41.075{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD8CED18AEE0D630B09C120F1939BC63,SHA256=9C25565DDF311338B89452A73013BCCA194FEE30F571CB73C1775595D520D825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:42.837{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA1FB1F07729273C97FB53453FF95C62,SHA256=7E21BF69CCD0856572B6C1B926054A469433A7BE6013E000F7DBCAD8F2B37281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:42.059{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDA7285EA2980A7317C9A26F450E37EF,SHA256=414AA25E79A2E66F30740CED34351558BA490E372B0ADE680DE89E1E0F2F84DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:43.852{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B15E16B312E83868849C7B56502EB477,SHA256=E2A8A256028C56AECB831D8B18174430B755CCD6ECDA5E31421A8C320BB152AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:40.619{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-54022-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:43.799{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47AD5D0382F0F63E1E442110BD6F2AE6,SHA256=86C6546E0FF3A1CCDC29CE7A1424C492DA10A0C49CE38C8D5A7B706349872E57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:43.065{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BFFF07BEC9087691A8427E6ACB6F706,SHA256=DE7BB47CB2897C2DCE174BDB2B3A3D112B79BF8A1C6AE3E24830C1E255D796D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:42.068{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55943-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001046993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:44.967{5EBD8912-874C-6151-C979-00000000FC01}63008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:44.889{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95F4C1CCA7DCE879EF3EA0FFDDE9319,SHA256=4A18040E0336479AF79439CBC487FA3DF3317D3C7CA018FFBFB2F0BF29922B95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:44.065{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60CF034D471998547B86CE2280908891,SHA256=56A998DE4B7DC2CAABDD183BAE09E26706D2338ECD3901B0321A46B8A5B65B88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:44.751{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-874C-6151-C979-00000000FC01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:44.751{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:44.751{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:44.751{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:44.751{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:44.751{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-874C-6151-C979-00000000FC01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:44.751{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-874C-6151-C979-00000000FC01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:44.737{5EBD8912-874C-6151-C979-00000000FC01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:44.620{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9DF1C59C3083958814AE473ED21B83B,SHA256=10D395DD486C1686F6B2CB10EB2DE5E295D1CE86DA3CD8ADC0AC35C1E346EAA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:45.940{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EA5B2E8740FB4B6D6CCEEBDE028C839,SHA256=9D31873246FF89E06F6F7F735AAB78053EED6724A048656B03EE82AD6F8BD603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:45.080{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7698805BBBF5D2F57D7D2C6B9218C4C,SHA256=D80ED7B9D09A9C13872938308BE5E1C52F7DDBB1D9396040FDD87327D3A3FDDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:45.736{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D901E0CF31C5443A21A83CEC8E0F858A,SHA256=BD97438FA7E64A402AD3F0BBC520ACDE4DD3D66E4AA52AE1F6465264D7F2C146,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:43.260{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63618-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001047001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:45.452{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-874D-6151-CA79-00000000FC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:45.452{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:45.452{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:45.452{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:45.452{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:45.452{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-874D-6151-CA79-00000000FC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:45.452{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-874D-6151-CA79-00000000FC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:45.421{5EBD8912-874D-6151-CA79-00000000FC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000975498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:42.785{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-8063-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:46.096{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26503F796ABA1F20F2F838B10ADD8093,SHA256=F180CFDEF5C53381B5ED9849765CC29627003B5D87476F4094CB33EF25574E81,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:44.812{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49158-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001047012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:46.137{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-874E-6151-CB79-00000000FC01}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:46.137{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:46.137{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:46.137{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:46.137{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:46.137{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-874E-6151-CB79-00000000FC01}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:46.137{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-874E-6151-CB79-00000000FC01}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:46.122{5EBD8912-874E-6151-CB79-00000000FC01}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:46.074{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=440BC6521921A76AB6E5BFA504FAE61D,SHA256=1F2C17A2B866B9E349DC44BFBDC80CD857CE1CCE387E78EE31D899B366DF0DB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:45.676{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58168-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:47.121{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB3C4A4B211CA8F633D2BD06F80D2AD8,SHA256=13C5ECC089B3B18549A3FD5FEEFA2534400CB1464D0751B01D87379738ACE0A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:47.092{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC1E1916B9A34315B562088153D1C501,SHA256=12727380765B33C3BA224766623EDC302F3E108B6952D9A87BDC3E6DE2799E73,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:44.660{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59205-false10.0.1.12-8000- 23542300x8000000000000000975499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:47.096{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF01825717B41BE824BB3606FC5550DF,SHA256=4473831388B7D9A27F58A18A5D714EC65B538E07057DD92219816784AAEB589F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:48.152{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81520A95463BE5C2657D0DCE85586C0A,SHA256=F10754EC36A47449BCE069EEB17BBF3F902C9AE2B7A3AA05490F29F1F5B03A44,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:44.936{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-19980-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:48.112{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18AF8728FDD9E4B5C1D1176B8520168B,SHA256=32E4F7B981685B37420BE93B71CB2A3E7629F9D928FC397B9740E667919EE317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:48.096{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13D39F5A3A423A9F539A04CA6A2AA00E,SHA256=8C6CBF01CE8C31788673494B31DAB261763AFA008719C6CA2E12BFB6FFBA757A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:49.169{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B672DF994CAA6F9381BE812A5C870F0,SHA256=1F1A6A503FAD775E50169CE6FD945D0612FE7212F77129339DFFE458EBAB2288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:49.627{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=398365F89ED2D32E0F8F1B31C871C800,SHA256=9A658A672282B462EEAEC26ABD9A88928AC0F2A9E6692ED16F0B45363397BD41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:49.127{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A2925E807DD9D58163CA1AF09F6453B,SHA256=C34E54EDE02719FEE19044A29F6635529931AAC9DC2442EFDA99C7FD7CBBDF0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:50.204{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06E924986E7F7CB3CFBA22FD1F9A5CE9,SHA256=B62235FA29A6630FB04D5D3FEE7327B373AEF1A8BD53936BE9FEA2C12393CFE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:46.775{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59571-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:50.143{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D394D802F4E1858F1C0827945396EB99,SHA256=2828A5F6AB50DF7E5A46BD7471CBF99020BB5BBD038F5D7BE745F37A423D9C8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:48.052{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-32911-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:51.158{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C434779D492DAA80DBEE119CB4FD1E46,SHA256=D52D2E4152D1B55E9D837FBE55BE7CB8C0494706C763714D3E0BA646817DCA7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:51.350{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB219021C143E766777BF1A3D5760DFE,SHA256=4A6FB3323A451D9F6469BA34292E47E794DA252652FD07ED41C6FCFF275BAB9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:52.408{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E86E46C41D527E92433026DD3A8D81CC,SHA256=43C0DEE0C8F91FD4117169135416624D30CE6AB8BEFCDE9AB8266CF18FADC07F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:49.879{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59206-false10.0.1.12-8000- 354300x8000000000000000975511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:49.693{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54449-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:52.174{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3DD612F6DDB86750713C78EF78325D,SHA256=795C55C74201E2E5E673B129FB4E75FBE9F1CE7E538FC974808E9F1D8F13DC17,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:50.758{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49159-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:52.355{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF69D7CF940AF1E12FC9389109A1737,SHA256=42CFF839BF865F8AB18743AA7E6DCF7F2C4DFF0BC2066B70AE032CE8B9FB1F24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:53.387{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB9BB33F69B117FE3380B9E782417CA,SHA256=EAB4EDD9CC02F1446D27B7E5B74E85C124A81E2412277A86FA16126CA0E75C10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:53.174{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DB2436F728C43FB11FB4A50D3A4D965,SHA256=0CFD906AA6CEE8332B2779005D384887A2FF5BE918457E257A056628F1E80018,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:54.865{5EBD8912-8756-6151-CD79-00000000FC01}65285436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:54.649{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8756-6151-CD79-00000000FC01}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:54.649{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:54.649{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:54.649{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:54.649{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:54.649{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8756-6151-CD79-00000000FC01}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:54.649{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8756-6151-CD79-00000000FC01}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:54.635{5EBD8912-8756-6151-CD79-00000000FC01}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:54.403{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BF1C975838CC1EFECB9D55310DB9F32,SHA256=C1CADAB2E1B24ACE978FBFA3118EE335C76DD25DDEDF026CFFEAC09080C88980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:54.190{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76AE450285408ABEA2F32AA24B9322FA,SHA256=8BE94E2C0109FD4AB31C750DFD3CB17E671312E787A3E89776B11E8802A3E077,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:54.303{5EBD8912-8756-6151-CC79-00000000FC01}4452688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:54.087{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8756-6151-CC79-00000000FC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:54.087{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:54.087{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:54.087{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:54.087{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8756-6151-CC79-00000000FC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:54.087{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:54.087{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8756-6151-CC79-00000000FC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:54.066{5EBD8912-8756-6151-CC79-00000000FC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001047061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:55.950{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8757-6151-CF79-00000000FC01}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:55.950{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:55.950{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:55.950{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:55.950{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:55.950{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8757-6151-CF79-00000000FC01}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:55.950{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8757-6151-CF79-00000000FC01}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:55.935{5EBD8912-8757-6151-CF79-00000000FC01}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:55.450{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0657D7344DCCB25DF383ED0198D54EB4,SHA256=1F29381919735B14351A201A9B4780D4A8566C5703E94138BD2BF02A23AFEEAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:55.815{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F1008824BBD843580F1D52EF1C09110,SHA256=21673E884D338B1C62C37BF0E731D206F0E9C8386160AB582E05FD02C8E2AB54,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:53.086{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-3260-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000975517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:52.307{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62982-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:55.205{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F34274773226EC08709A068B9726BAA,SHA256=F47A0B25A3F7CED4FCA289DCC32AB192DE5C96184842200C519B0EC5838D75A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:55.265{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8757-6151-CE79-00000000FC01}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:55.265{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:55.265{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:55.265{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:55.265{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:55.265{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8757-6151-CE79-00000000FC01}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:55.265{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8757-6151-CE79-00000000FC01}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:55.252{5EBD8912-8757-6151-CE79-00000000FC01}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:55.065{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC84305DD5F9E22871B4D51833FD9A66,SHA256=42D3A3744CF16E491ED75CE28AB998E88923191B50331F01958C4883EB35F277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:55.065{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F0429001BFEB4BAF41C9FB092AF0A06,SHA256=B258A021E48A51FD0E6992D53D5B5FF6FF14ECC74BA66A45CE32BD88F517722F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:56.450{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52817C2C2F0F31EC5D02DA3056D7615F,SHA256=42817389D7ADEAC5F12DE5FB7FC99109A24B9CB58A84753945BE4EEE1F5244F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:53.237{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63601-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:56.205{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A001DCEB4FDC426E4419A4DEBDD1280,SHA256=88F4B6BCC3BE9CF2C2E48BEF1DC596C5BDD2FBA796E5C7DF54829F88D3E473F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:56.286{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC84305DD5F9E22871B4D51833FD9A66,SHA256=42D3A3744CF16E491ED75CE28AB998E88923191B50331F01958C4883EB35F277,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:56.118{5EBD8912-8757-6151-CF79-00000000FC01}50963756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:57.551{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B043E601D97D5D1462ED552E42B107CF,SHA256=6D36D0D0560D107E28372D99D45E27E32B8340DF8096EE45038792285FDF2338,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:57.221{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE205626CD90E5C29E507E2AF4F4F98A,SHA256=15AEE165F4100B9E258F132CD7CB0948C1088884228156DCC0C50D8BA3659234,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:57.303{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13B6B988E63E687E713AC5FFB49548E6,SHA256=E98F0C6791565718AF634345C1D829FE183B4932BD585785B60F0BC01C91EE34,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:55.268{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64194-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:58.551{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0000EFE94EAB4C7A2F6976C27A7DB77,SHA256=5B12A2D2386B81AD4DE001C012FE13C7A35EAD4F47AA0AF78DEB28F5E15CA108,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:58.236{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=877D149CCAFE49D6320283A661A3C83D,SHA256=A366564CE0A5EF6D14DF1D696EF2C009A56719A831965F8FC78492728794CD62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:58.504{5EBD8912-7F30-614D-0D00-00000000FC01}8886076C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000975523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:58.033{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D78FCB5BC91C0F9B7D1BB277964F9924,SHA256=91AB2F835ED7B67D3B16A09D177C054A9871F6820E248CC17FD169078F947DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:59.587{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9596B69D49ED503A5B402C5510DE252,SHA256=ECC837FAC5BAF80A47411DF9E268ED62090103494B9F5998A4282816242591C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:55.832{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59207-false10.0.1.12-8000- 13241300x8000000000000000975535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:56:59.815{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000975534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:56:59.815{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fc09c53) 13241300x8000000000000000975533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:56:59.815{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b375-0x3fb4ac12) 13241300x8000000000000000975532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:56:59.815{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37d-0xa1791412) 13241300x8000000000000000975531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:56:59.815{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b386-0x033d7c12) 13241300x8000000000000000975530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:56:59.815{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000975529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:56:59.815{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fc09c53) 13241300x8000000000000000975528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:56:59.815{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b375-0x3fb4ac12) 13241300x8000000000000000975527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:56:59.815{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37d-0xa1791412) 13241300x8000000000000000975526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 08:56:59.815{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b386-0x033d7c12) 23542300x8000000000000000975525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:59.252{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19BF4556A2035DAC5E90198B7F910CDA,SHA256=4EA72E383F54DC1398DC4E0E423FB4AE5F73BF5C193CD1A870FE0AE983EC2106,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:56.757{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49160-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:00.607{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4FCFE9A8307CB9A044BFF764EC4CA33,SHA256=883C80626758AC1E82FE5F8DF29C80CE9AF3E89AB672358428416896E8C94711,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:58.221{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com49111-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000975540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:58.022{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-31926-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000975539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:56:57.853{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-61983-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:00.814{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B0093DCDA822E0A2A08DDA2262B98AE,SHA256=A8F90264851B9BBE11A99A8CFCFBDC0AB80A3C74061CE8F9E87AEA22924B7F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:00.268{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=042EA55C257C893EE8E5450468F83B57,SHA256=C73E0E372C5F87A207A829FD86A3AFF2FB5FAFBAA9F428A20DE806A9B6E5F9C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:01.621{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1D2ACDDD43AF43EE8F7BF99419A73E9,SHA256=77E37EA49D97519E55116C1204FA6B6071EFB147C41C90E4CC9E4F9B8EEA16FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:01.314{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7825FE6E4686F4E8DEE297EE7377E27D,SHA256=3B1CA121FC10BD5AAA0382D8649857C0B2D54DFD679CA9ABDFA0F323182DF7EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:01.366{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=234272583E83E1BA39B3AEE8C94D870E,SHA256=A8F72E7584B99F7D9C6472964D2EF5525A8E12408BCA40DFE45E2FD99E18F1E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:56:59.723{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61241-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:02.951{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF9AB2DF34C2A96B2529075CC9E3FD9F,SHA256=F9942214F6EBB9A4218E7BACA19CDF796C8495F3371FB600BC78C500295340CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:02.636{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B40282D38C585CAFEE3FBD09E750F9AE,SHA256=7E27D0C4E53883E739461EFD2466321FA1CC414F1BD900ADED505EECF6EE35F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:02.954{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80F49E85E03ED5E810C35FF11EAE7CF9,SHA256=7E5718BCF485E25B2E23B5B1CF92E9D3678DACAEB42B0D5C6CA516B1E78B1F9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:02.392{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4163AA46F491B2264EEE31FB3584978A,SHA256=602076406963FED6E637167B95EC4115E665DCA1AFC664B422DE924129F3ABCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:03.610{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=445170B58C8585017D573F544E31BC56,SHA256=571EDBA54F58B48148865C0AE317493B50B1F5AAEB264F48F7C3AEF1DC587875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:03.636{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E13DEFB77396A935F17ADC99E5829189,SHA256=DC434D6D54C81492BBEC21202E63A2DB59CCEDB9A865B274CD9874E32EBC02E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:00.266{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50995-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000975547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:04.688{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB77471C72535DC9F40724489E8AF3A,SHA256=3CEC709F9B60B496F2A2D1C00AC702ECAA5CA6CA17ED852EC222B0DE11C13825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:04.651{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AFF5EE3EA214BF7FCC0F4395ADE8590,SHA256=03D9164BD5C48984F98486E8681806F37B0301971C115B4A8676547004162E19,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:00.864{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59208-false10.0.1.12-8000- 354300x80000000000000001047080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:01.878{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49161-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000975549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:05.907{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=274E158A6234C9697B58E7B7827973D5,SHA256=69CB49237E6E05D2E1CDDBD2578954AB9F69253A6700F815713008F2AE5A8B77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:05.666{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA89F3ED2D3FF695BFDC480C2A92504B,SHA256=BBD3C8FAA8F748317A378971D45C7C3617F9C10E3B8E6A61528E3289FA9D16F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:05.438{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CAC6F10315E666FC5FBA1B7FBFD90DC,SHA256=4A8CD57EB5009ECA40E9B33C7B3319B4C61082AC6E09851F8DEECF4121E4F8DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:03.814{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64185-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001047084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:03.404{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52953-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001047083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:03.297{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com51229-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:05.087{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=711278E37AA49033E321FF5CAC6E2963,SHA256=50E97FDB2B5D1701660DB60945B983B7C56EBE3BF96C3D74A606261090344213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:06.666{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD2CC9E14067F2DFDC97704B855CFCF,SHA256=1004E7E2E774DF14775D51C280774B3A2E4AE5340D027595E04ED621075CAEBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:02.841{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-1762-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000975550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:02.770{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53225-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001047088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:07.703{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB1F622CD9619C635C854A3ABDC6484,SHA256=DAE14214057FD5B4C1F4BA9B4DE7B43CFF8782EFC05F500EA7FB9550DABF0AB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:07.798{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D81A17ADDD72C40B56C11201005DCEEC,SHA256=C24A11310A30C3E259D92B1F1EF8D8FF5F226417E11A271A91186055F3B0413E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:07.142{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4875BAF581D15D3636EA2F1425E177C2,SHA256=A0AFD28F5E65EC4A22EA5DBF26027A92125234449B53E6B0A8B894A7D171160C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:08.707{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ED44CBBF42F6D6AD427F4FD013FEF6B,SHA256=B9580E7BB89294589A79A51D7D9BC4E5D868C6141219986D9075772AF2E083B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:08.845{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C190ACC0E4C4BA023D92D79199568316,SHA256=19B3D4A3E556B6AF36CEB5BAABC859B934E93AD590651BB2D2ABC4B8FDCC2AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:08.298{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2904DC036A4432FCA91DD758910065A8,SHA256=85B6978679EA62B13A346FD838BE07B8672678EAE7BCF6FC1C1B9CD6A63DA8C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:09.738{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2399EDA9FD1254D5647433E6BB67C779,SHA256=E14D97A06FBAE435E1BA93697F2E7B418B93474515C639CA525ECFFB3549D219,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:06.136{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50865-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:09.313{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66B6207D3C2471FB61EBF9F7AE6D8B57,SHA256=9E01D69E22C26E1718876A1D6A7F85E800B23F63C4BDCCF54EF02395220B5903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:09.272{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4293MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:10.739{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57442BAC6FBE3EED0061ADDB1B93EDF8,SHA256=B4FE18B5F6715E3B5BAC183BD84C29C78DC40B609595EF9248409B57C45C2819,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:06.930{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-29841-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000975560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:06.737{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59209-false10.0.1.12-8000- 23542300x8000000000000000975559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:10.392{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C4AF6F35EFA9AD6A3D96D7A12301784,SHA256=6EB710142DDE5B349D971B02549B283E4A21A5A4A902F472F9246B390A735BAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:07.830{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49162-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:10.271{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4294MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:10.095{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A4F4E492CA9584C6D12FF0C33FD0E25,SHA256=E61428E2880C8A4F96A2E496F7A5057072ECDCD7FAA38F0DA8771606188E9FCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:11.739{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C5C37D5B768C421BAD3410C3E4C3837,SHA256=A6B463D9ECF7802DDD99C97279B37D0A211CAC380C161DD9C75B367DADD1E07B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:11.407{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BEBBA125F6F2D2A2F69BA934CB19811,SHA256=1A53241EAF0EC8730B24185022DE0B659CD247D9E90272387BC40BEB54BF8D08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:12.807{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=552C08A1DF1F0D831AF125913409F265,SHA256=55B14A34F0B66B0F570788024C19298036D1A47AD9F883AE112D4081DCF25801,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:10.195{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-55244-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000975565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:09.145{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-43340-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:12.423{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=696E8FD545A0044977716E6CCF7E1489,SHA256=66B11067EDDBC1B1FF2B53AC9444E2DBEE7EE11BCCD3C251AF9CBE0DCDA63965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:12.313{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C26937FFF31A172CC7282CF8BC4989E,SHA256=1A5BBEE96895589A3A7A6D95DEDF76493C4D7D5EE90E22F75318DE32BBB29DE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:13.822{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01DDCEDED118AE487BC5DE24FB6BBEC6,SHA256=CE4F1B1EC682609AF1F8505D3063DCA2451C627F791F434354F6A444E5679E10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:10.732{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58267-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000975570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:10.591{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58179-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:13.516{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE34F777AF80536464512D3FFDE20CC9,SHA256=5CBF7C60F4A8C57E20FEB69C66DDEC1E5360E3524A1A21D2D126D66E442F2F06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:13.423{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5383EA23D459D3029FE9E8F04B6C371E,SHA256=DFCC42F967FBE9FC96431403AE59FBFA5CE8AABD0355FADA9E0ADBC7FFB7C6E7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001047106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:57:13.554{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001047105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:57:13.554{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fc0d620) 13241300x80000000000000001047104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:57:13.554{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b375-0x480ad7d5) 13241300x80000000000000001047103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:57:13.554{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37d-0xa9cf3fd5) 13241300x80000000000000001047102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:57:13.554{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b386-0x0b93a7d5) 13241300x80000000000000001047101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:57:13.554{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001047100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:57:13.554{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fc0d620) 13241300x80000000000000001047099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:57:13.554{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b375-0x480ad7d5) 13241300x80000000000000001047098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:57:13.554{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37d-0xa9cf3fd5) 13241300x80000000000000001047097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:57:13.554{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b386-0x0b93a7d5) 23542300x8000000000000000975567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:13.360{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:14.837{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C54AF238DD453ECBC8CD9D6562B620,SHA256=6CDBE86B66B396FAE82E4EFDEE0C570AE3E371345505ABBC075A7B949A99E289,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:11.351{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-56306-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:14.438{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=950CAA3A98199206CDFF9AA209BB73D7,SHA256=4A3D451FAC27D62637EC711BFA8790ADC15D98320ED99B4CE32AD2C59800FF0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:15.867{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC4112B5C171F9AC6E26F196B709EBD8,SHA256=1A3E6EF8F66C43F6FBD427C12BA02290ADE708BDFF1288958795D698BF77EDF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:15.454{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70A395C11EDC1367AF36F89CD303B856,SHA256=2FA2F145812063C86B35200F0F62683B6826647F43EF9C39A5BDC1B6E6E15755,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:13.845{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49163-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000975577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:16.470{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83BDC1779A441DA913CC70D7A0AB5C5,SHA256=4FBCCD7DC6CB8C1812E886C30BBB16223AB1F0C2B81C378EEC603FAE67AAE573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:16.884{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BB19EF1B7E91C618D54BAC8DB9FEF54,SHA256=74CB24FCD7E39AFF54473D4926B59F8986BBA6766D71A1877E909F631A3163F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:12.737{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59211-false10.0.1.12-8000- 354300x8000000000000000975575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:11.987{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59210-false10.0.1.12-8089- 23542300x80000000000000001047116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:17.903{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC7CB4DA42AE3A34E43D724F6A601D9,SHA256=8767A9093922E281D24CC28FA853A3F1306E74968DB85B8A473B2E7692D1491D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:17.485{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F2E050701A464EB572F1F4A11C889E,SHA256=0DEB79740162830A7F6AB14CF60F1E19908BC585E78C8484D984A7334D5BBCD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:15.896{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49164-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001047114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:15.896{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49164-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001047113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:17.250{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82A53C5F5D1045405CB9DCFD3BD4B9EE,SHA256=9BF2240DE8A376C36ADA59126EF521C229E2CDC48AF28F276B86FCE71BF3E39E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:17.250{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=508EA3B5A7E71B4C7D73BF108D637FD5,SHA256=74C5D7B63BF026D1B66159485015CECDE5AD57E7961BE3C4B7C8671AF6905E46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:18.933{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54835B35E32B40AC820D1F1A7B4771CC,SHA256=47E8FF3A7D26B836BB040C5A325770A8F96AEC5239E2333E1049801CA995BF6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:18.501{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C4AC6666615736B6FD9850C2DFF0561,SHA256=AF16BA846C6652CFFC4601DDE5D23A00A7397628A8D65FC0B4D014E543014544,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:14.507{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-10093-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001047118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:19.948{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4277FD9F2300ABF297276B0BE75C9B09,SHA256=B1619537492728C9FC3ECA6A1E2E72D9658774B682D3967EC4D029566F18CF1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:19.548{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A200EB9869D7A3356114628467D08DE8,SHA256=993AEB4FFDFD0CFB864121EC8B8A5F75BF7823595AB10DCB4D890EADF7070AC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:19.548{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A0D00C5298FA178AA6E6148D1C58217,SHA256=0578D8A6AB5C345F9352D65084C30167D16DC003F30C9078D0C8D9C0B933214E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:19.516{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F332134F70A1843BED5E43732301B0,SHA256=7F97E993D6F9D3AECD0E59B9469FC9011CE0267D244AC90F1EAEE10354C764C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:20.532{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2241B529350676E9F9E5B25C1009241A,SHA256=D778330762C25D4B3F3FB035FF13EAB5E15FD8A97B8B6C55D68CD5136B1B8529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:21.532{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E995818D175DCD7C7F5E55F91D5BA71,SHA256=1796B9449DDACB894FBF0A861E5C233702C52BBB8FE2B1996838CA86DCF73FEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:19.770{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49165-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:21.081{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DFBEA84233DFBAB08434E29E4568463,SHA256=EED60ACAE0BD465C02FE87320CF79290425BFF8C6C6F2FD881ABC0F19FE0D1D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:17.768{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59212-false10.0.1.12-8000- 23542300x8000000000000000975587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:22.534{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06ACB8899ED77BFEF9D27417F6DC64A9,SHA256=002E9D021C4139A90892D15039D43D84D36FF142F7D81C2C0DC11673FD03B737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:22.100{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49E5B866D422E84FDF1CE26A2201A165,SHA256=0BE706C8A38A5640DE27626B40C701C2C2D42A1CBE2A7C40ACA5E39E9D6AC486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:23.534{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4E82D94973F531A482B6724DD47C1B,SHA256=EF69B27A346E9435ED98974C1E1D449092EF25AD2BA967AB94A78478C003B4A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:23.701{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:23.101{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF6745682AF82E170A0FCE51726D17A,SHA256=2DC19F838BC5855B1EA45CB0CE7303D844724B2529C415DEC2AB8F014EB3E6AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:19.512{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-39485-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:24.549{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9087F769CDC7D3FDE806D70A47972BBF,SHA256=2B327E3BAB9695248433A92D3923D6ADFB8AA139149E35DFFC7E1A64B92D39B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:22.655{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63744-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:24.301{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77417E1F101AEDF651774EBECB527863,SHA256=D49FF104A7DF60DD9829E178053F620F5D6D122AC32481E431017D1332F94293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:24.301{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82A53C5F5D1045405CB9DCFD3BD4B9EE,SHA256=9BF2240DE8A376C36ADA59126EF521C229E2CDC48AF28F276B86FCE71BF3E39E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:24.116{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14828D7470F9FD6D2A598F6FF998AF1C,SHA256=DEB5EB8059F758F30448DC3A967542E599B5C8CAFCACD0E42CEA10E09252E737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:24.487{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A200EB9869D7A3356114628467D08DE8,SHA256=993AEB4FFDFD0CFB864121EC8B8A5F75BF7823595AB10DCB4D890EADF7070AC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:25.549{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCBF0B31818454F31DC414EC53A2F9F2,SHA256=70057D5337478050F203E8F1747D8053B2C6D96B6F0B4CBF9EF0934CB0352E37,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:23.311{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49185-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:25.131{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07BB3FDC9203554F06FBE4FA501B62B6,SHA256=47BB7214F99741B857D91102C7A2710632C194FD98D9104FCD8C0AA6D7EF4927,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000975621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:26.955{69CF5F33-8776-6151-5F79-00000000FD01}29962572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000975620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:22.864{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59213-false10.0.1.12-8000- 23542300x80000000000000001047132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:26.163{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=494A4CBF13FD1FD3090D70E8A00CD7B4,SHA256=83DEF08648FD5C2E010BAB4B2A98180B533E50E32668610AC3A2C2BFD9758C3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:26.163{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=401944C6CE524FC6C580C1D9A540439F,SHA256=84EB6DC9281F416EA02645E21F22AB5ADB663D440ADDD312C924C04A4150A3B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:26.131{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B9868D6E4BFC82613C1F5BFB5E1485,SHA256=9A50E5FC8863698F2A380DECE06C04783638582F9E35FE50330B1E43D21111C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000975619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:26.737{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8776-6151-5F79-00000000FD01}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:26.737{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:26.737{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:26.737{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:26.737{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:26.737{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:26.737{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:26.737{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:26.737{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:26.737{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:26.737{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8776-6151-5F79-00000000FD01}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000975608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:26.737{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8776-6151-5F79-00000000FD01}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000975607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:26.722{69CF5F33-8776-6151-5F79-00000000FD01}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000975606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:26.330{69CF5F33-8776-6151-5E79-00000000FD01}636648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:26.065{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8776-6151-5E79-00000000FD01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:26.049{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:26.049{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:26.049{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:26.049{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:26.049{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:26.049{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:26.049{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:26.049{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:26.049{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:26.049{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8776-6151-5E79-00000000FD01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000975594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:26.049{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8776-6151-5E79-00000000FD01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000975593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:26.034{69CF5F33-8776-6151-5E79-00000000FD01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000975637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:27.940{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFDA3852EDA89BDFA9B92288429C440D,SHA256=783A109CF403212668722EE6529011AA9CE520B18A4C81C006A5F8825C9284BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:25.807{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49166-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:27.162{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C7B6F04E1E16808F2CB03D6C737EB1,SHA256=5A340467D51B6F486E8D3A08DD0B0D690494E55ECA35F5AFE08E048F5641FE38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000975636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:27.424{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8777-6151-6079-00000000FD01}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:27.424{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:27.424{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:27.424{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:27.424{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:27.424{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:27.424{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:27.424{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:27.424{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:27.424{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:27.424{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8777-6151-6079-00000000FD01}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000975625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:27.424{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8777-6151-6079-00000000FD01}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000975624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:27.410{69CF5F33-8777-6151-6079-00000000FD01}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000975623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:27.221{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46BCA8AA2CB6DBCFF447A4476E6D9D75,SHA256=22C8B6BC5CC4CFB136E495E4E5D87B000D6C0523ECA072E13A4B03C9F570D2C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:27.221{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8F211C46AD05688A2F8A40A6BE87F92,SHA256=661B36CC81EE57E254983300950976DFC28A610F5C13215B6E0B2963FF63E375,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:28.799{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:28.281{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:28.199{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B47DCB3FBF258F1CDAB7804B0DC8725,SHA256=5E19A47ED07CED4FE9A3FF3BDD6845C875296C3B13527428F0063B7D8AC34B20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000975666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.799{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8778-6151-6279-00000000FD01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.799{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.799{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.799{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.799{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.799{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.799{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.799{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.799{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.799{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.799{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8778-6151-6279-00000000FD01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000975655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.799{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8778-6151-6279-00000000FD01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000975654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.784{69CF5F33-8778-6151-6279-00000000FD01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000975653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.455{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8271EA26EC37279B1BA4A5F949B42765,SHA256=01D40C3832D8441697FDD1973A6A65D5B29039E81F544461FBF48B689A236829,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000975652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.315{69CF5F33-8778-6151-6179-00000000FD01}30401516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000975651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:24.470{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-9411-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000975650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.127{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8778-6151-6179-00000000FD01}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.112{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.112{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.112{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.112{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.112{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.112{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.112{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.112{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.112{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.112{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8778-6151-6179-00000000FD01}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000975639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.112{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8778-6151-6179-00000000FD01}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000975638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.097{69CF5F33-8778-6151-6179-00000000FD01}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000975682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:29.596{69CF5F33-8779-6151-6379-00000000FD01}2344404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000975681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:29.518{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EBEC1B3323F42596802B38A7E329C45,SHA256=72093A11AD0AE9CB23691290AAAB14AD55813F703461A36D77870E4DC62B457A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000975680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:29.393{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8779-6151-6379-00000000FD01}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:29.393{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:29.393{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:29.393{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:29.393{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:29.393{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:29.393{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:29.393{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:29.393{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:29.393{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:29.393{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8779-6151-6379-00000000FD01}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000975669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:29.393{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8779-6151-6379-00000000FD01}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000975668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:29.378{69CF5F33-8779-6151-6379-00000000FD01}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000975667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:29.127{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BED9E9FD0614F3D71998FD6B42A3E07,SHA256=B057818E792AEC6D19856B7A505629E17B88CCEFF610D941D5ED6AD617A391C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:29.200{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76CC79994751A70E48661F29F7D9BBFE,SHA256=CFC792D41A3FB5424200F0DBAC9EC4A7E3CC1C7FB953755E057864ACACD8B0E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:30.237{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1141CF8739A95324FB335E46198F1934,SHA256=52F3262AF81AD2BA64831E2DD5CA1EDB4DF8DE54AE44CD746966B7B890AB7EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:30.231{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEA845685F9F048A6FE3776C6673923D,SHA256=946D0002F21AC0E2F986257A0A8E940F28E807C6AA9FA36005171917C1BFD88C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:31.612{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=818929FA86AB8A18FFE66F7EFC4172A9,SHA256=0D0054D496581CF76F62F4146E5CAD43C02675204AB487AD1BE046371D00AC96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:31.471{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=892742FCC1FC0F5818E9189C7B9BDECF,SHA256=AFF2897E6DA89B712E21F24A50CEA939A45A0547A621734F9EBFE9109DBE8316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:31.947{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE59C64B3256ACA6568C1502CB79ECEE,SHA256=E40011FA109ECE8A2E5DF3BD5FF0D7104F55A75845B4EB2065B79BCFBBDD5176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:31.947{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77417E1F101AEDF651774EBECB527863,SHA256=D49FF104A7DF60DD9829E178053F620F5D6D122AC32481E431017D1332F94293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:31.246{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FFC510BDCF9B484E9FF2410123CE35F,SHA256=1A96662B62E5FA4F1372F2F207D5210592117E2E0948D37B3EBA77711E35995C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.515{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-38562-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:32.471{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC6D1EDBD24D26DA5F165AA2313159C0,SHA256=3EA1A7DD5F8DA6648D2F54E2F1E6D0FB34A77A293FE7206B63B66EA9F62D2DCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:32.480{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25EFC83819B125B19C696B22148F3DA3,SHA256=689B8DCB52BF9D4ACF54C2CD4CE16123BC31F5E0132A21282CFDA4B34AD68014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:32.440{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=55A2A4C50F62683046F51E120887FD21,SHA256=6DBDFB90FB310ABC30C04FF8377F5575F4258E2AFDB9C33BF8A74B340236C294,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.973{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54491-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000975687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:28.864{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59214-false10.0.1.12-8000- 354300x80000000000000001047143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:30.068{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53370-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000975691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:33.643{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6D41068CCFBE0506277C911FDD90EF,SHA256=DA45D7F9D1275CBEED2D94E87A1502783FC5928E1C47C011138EE1DF17388208,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:33.483{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5EBB584FAE538C2DD52763DDC1B923,SHA256=973B88B562736FC42A2BFE936D67D60F11501FCD55E2C3D47C8A6B26887E1B91,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:30.891{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49167-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000975695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:34.659{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5FD2429B1FAB0794F54DC14A9A70727,SHA256=2FAB804E8CEAAF25088DC62DB23B936F752CBF0F206CA698D2839910EF0D7411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:34.498{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9600357BB104448502D4099B8CCFB4A,SHA256=891FBCD829D698227A607B873FB5B34441010E045C5ECC69AAEAED4E50F2E223,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:31.614{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-50752-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000975693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:31.071{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54689-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:34.221{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7709AA953DB083E4C422499F7010060E,SHA256=56CE1263F34CF29646E9F49E5EE8539D241618BFDD7D00A289332D5F5480C554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:35.674{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6913A5828640C6121723047E83DB8DBC,SHA256=00853086499085781A2EF05E361D0A1A7342557AF64200BCA2E2A6A9EF3F5A87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:35.499{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7666A9025030A2FB4192A445167E7E55,SHA256=10B5A31CABE011A5CB66C20D840B6F9CCED76B5CFF630249228E4DC52982B6BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:36.690{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06B99D39F8DED2D7BFBC78CCB7730E2A,SHA256=468F3EC794C959004478DEF045E59BA258016D3757196D720AB309A7657A3F2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:36.690{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FB121716B4E5F74BA53433F3CEDBBFB,SHA256=1A0DD9A8EC4D2715A8D123616FAA13F7D83328D53C076C1DFF2309F00593D148,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:36.504{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE9A3644A59054745B0CD7F49B87DEC2,SHA256=F6B3C04164AA41FC129E49589502424A7F2D8BC7CEDD5E34D0BC64DE44AE5F41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:36.321{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000975712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:37.846{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8781-6151-6479-00000000FD01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:37.846{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:37.846{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:37.846{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:37.846{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:37.846{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:37.846{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:37.846{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:37.846{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:37.846{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:37.846{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8781-6151-6479-00000000FD01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000975701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:37.846{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8781-6151-6479-00000000FD01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000975700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:37.831{69CF5F33-8781-6151-6479-00000000FD01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000975699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:37.705{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC76ED70CF46CB4F66A1510F87DF56A6,SHA256=D63B87C97D61102B8E47624A2C0300E70C060A1CFBED37B70AB23EA73B7D7E4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:37.505{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9305B36236C9D8595B9EA53CD85612A,SHA256=334ED59708D4F9C00E28887F8E25EF1E414EB9E5C492D6CC958FB35EA8DC85DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:38.830{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A584AE85E0CCAD576C4CEE3F1165DB58,SHA256=5D3D3491A06C4EB447145703421DFF868E7B593CE9EE79042808CEDBF29B5F77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:38.721{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F1A5117468BB6155B9A5355D7C9858,SHA256=3AC96F9AD7AF4F27F0AD93928722740992227F34E517CB40152D33AACF521AD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:38.520{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B89A2AAF218390AFCCA194816D055BE8,SHA256=E615F9CC602D59D60775C477F975C35260B9CE99F8530F7033855E2F8F1DCF80,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:34.864{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59215-false10.0.1.12-8000- 354300x80000000000000001047152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:35.997{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49168-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000975716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:39.721{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF39EE1B1ED4B263450BC213775207C,SHA256=DF92BE597ED4A7133874EF69643BC5DB5A8156FF6F6E381635FAD5E78FE4AFD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:39.551{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6C6B252AA82D6D3C9A4102D25DF00DA,SHA256=9BD203145BF83F88E01D4B5E23D275D595860D73C7D2946BBAA595728646A5BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:39.136{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FBE6CC6EA4EBA0411B6C3B70AD489483,SHA256=BDF8BDDC05D337C611A1E9F76634947853D6A2C7AF5725534AD9E7C5AF1E8CEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:36.913{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49169-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:40.621{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A831525439F4BC8E59C7E96FDEB805E7,SHA256=8BC1D63225E1F3376046B004565D2F52C64C43CB3404ABF049D910E7D94EBA0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:40.621{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE59C64B3256ACA6568C1502CB79ECEE,SHA256=E40011FA109ECE8A2E5DF3BD5FF0D7104F55A75845B4EB2065B79BCFBBDD5176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:40.568{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBE6634A165BABDEBC2C135207B32BD2,SHA256=CFF044492727A81A71E5B0870A5D90427CCBAF0968F83CEFF10FE35BFD8FA6F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:40.736{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=106021DD2473CFA86A99C02D9C253520,SHA256=7CDC051DB08AD9722509A5AF7874E899292DBAC92ECBF1AF3E406C2D4B3509C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:36.660{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-21366-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:41.752{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACFCDBE32A3F600D9073D36ECDC2D331,SHA256=C568D9EBB4030AAE839AC0C754B23CE1183333002F7D46194466338D2F308DC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:41.589{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B75E1068868B0506209F4683B539316F,SHA256=25FC91778950D324C8E3461478B78CFF7628A8D3ECF0D492AEFA0748533A33C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:38.967{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61281-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000975720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:38.169{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59099-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:41.033{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78F57F94977D8813DBB0029D390D0D07,SHA256=298069D8C1978C31D2C86513F53C54B13E35D2473E13E4A7616DD82DD2760C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:42.754{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E2370BB2DC8FE6E6A726D6907E50104,SHA256=7AA6744784E9F39619EF34A60925F49E5BE94914AF104D9EA8D514CBCEA00882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:42.755{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2E310142C159F497BE9175AC741863C,SHA256=2CBF4386A121155640B3677FDDB5057AD82F74610E5892099C653028D78CA14A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:42.271{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4294MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:42.507{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A831525439F4BC8E59C7E96FDEB805E7,SHA256=8BC1D63225E1F3376046B004565D2F52C64C43CB3404ABF049D910E7D94EBA0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:40.071{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59659-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001047162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:39.572{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59395-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000975725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:43.769{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F06B6ED883BB9473F23FF819890283,SHA256=727E662CEC5E6101ABE56304FD0D0F4A44340A9D7944196B5EBFB02FC4205A8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:43.807{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD62405B4E078821298F0EA77CD3C94,SHA256=4B3FED6A8390725665C47BBA6870934DA8DFCFE07541B6715E15F42CA75FD18C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:43.271{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4295MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:44.973{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C66FA0AB33AEC09DB267A6696385CE94,SHA256=3260F1C47CFC2BA66E07D37C8DC806AE37D0B3B8161B423C141214AC209BDEB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:44.907{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1BAC6BDFC627D5BD07D67BE3FD15723,SHA256=A6934FE4D5BA61AF9ED7E86BF7229A19804B9DDB584EDAB365B095EE5444994F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:44.838{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8BFEDDCB967CC59D77316A6845B59C8,SHA256=3A4D0F1ABAA47651C8DAD8B430C904A900FAB3E7DE41B92A89E270E8C77E8E26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:44.958{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C221A418EA3495D5B878C8550AFECC8,SHA256=307C4B2312B7DF3D33D66FCCE05AB37EBAC1D9E9F928FE32DF49B6F0B844EBF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:40.880{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59216-false10.0.1.12-8000- 10341000x80000000000000001047174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:44.787{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8788-6151-D079-00000000FC01}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:44.770{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:44.770{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:44.770{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:44.770{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:44.770{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8788-6151-D079-00000000FC01}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:44.770{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8788-6151-D079-00000000FC01}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:44.755{5EBD8912-8788-6151-D079-00000000FC01}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000975731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:45.973{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4332F710BA521AC8BB7C26EC292B8C3B,SHA256=8EC6E5EF3D64DB27DE9D172571585B70875AB91EF2FF6C19F6BCE452A4AB0EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:45.839{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=669EF09EF6B9F2AB6C4AE9AD7CCE2837,SHA256=8525443C259FDFB2BFB1EDA962908C198252D9313E18FEE106B5ECBCADA8E781,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:42.152{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-60064-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000975729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:41.691{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-49971-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001047192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:45.470{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8789-6151-D179-00000000FC01}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:45.470{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:45.470{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:45.470{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:45.470{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:45.470{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8789-6151-D179-00000000FC01}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:45.470{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8789-6151-D179-00000000FC01}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:45.455{5EBD8912-8789-6151-D179-00000000FC01}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001047184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:43.293{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64421-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001047183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:42.847{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49170-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:45.054{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=6BE028FE2B569D0C2F617E8DE70E482C,SHA256=769DCC9D720DFD0CF725A4821EC0BCA19185F5237A780468E4626D7E5C80A7CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:45.054{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=601EBC13A6A7A5DF10CD60DCA834484D,SHA256=4831D14B29FC5036F756781127218510AB63A822E7F680A59CCC6E2FD7FFF717,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:45.054{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=D7484F61C995C2B9F0F5393F8054E2D4,SHA256=352278A86E5466A028BF023F605929E429075BB51770AB41745A18A23C609D9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:45.054{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=F95B8E9BBCB7220B4700BD82E119B752,SHA256=B856EE9310F8682E18AEBA620C9741B7DEEF600B9194C4A0079FD252735DA3F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:45.054{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=654291F4948B4054274413DA1FB20857,SHA256=4FAD60CA4808C3E3FF78D15C81307A33FC2431DACE04E802F80625FD96A87921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:45.054{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=A486F23155534FF570FF268FF1E38374,SHA256=3F52B74568DD4233A40A330881655320E10447881934BF6ADF7E2327C83D930C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:46.908{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBDC2634FC5900B3610DC14FC0AAA4E0,SHA256=D7BE9B1C3FAB9A4737F94FC72675C0E94942FB069CA944C945C159DECAFA2455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:46.817{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EE5EADCE2C015C1115A475DD909DD80,SHA256=4121DE542307B68260F91715E4A310EA5D7F3873878731659520FE024761E7AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:46.455{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55ED301588C1260148A4178AEFE7E7AA,SHA256=C3DBC9C6DDEB6527E73B7E048B9AB89E9E34148D20CFF47CA623304834DA8ABA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:46.355{5EBD8912-878A-6151-D279-00000000FC01}47246720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:46.139{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-878A-6151-D279-00000000FC01}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:46.139{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:46.139{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:46.139{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:46.139{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:46.139{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-878A-6151-D279-00000000FC01}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:46.139{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-878A-6151-D279-00000000FC01}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:46.125{5EBD8912-878A-6151-D279-00000000FC01}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:47.938{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6877983C98A211EA97342A94E6327730,SHA256=6105472F1DCB53295767F8610ABB3CDC3747DC4B5C3824A5D9565CD03253E792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:47.208{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5720469E2EC9B6DD198C100F03CF8FD1,SHA256=7D99252EBB0EC150A64B71422069062EC3DC2A9E5613BEB7A5BA05853A5C27D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:48.971{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32A557E826549F7398BC2D90821CB763,SHA256=D26D9B50BA7F0B178020B9B77E9DA69617610B97C6DADA17045B9ADBF79E50AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:45.377{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-51021-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:48.223{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C19682CF3F3A869F3C92B551D64475C,SHA256=B7115D34FF695F7B6F886D3FC968B7B4A47D60BB1AC1D22C2974EFE0CF4575B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:48.067{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A90EE82C08ED663BFC144E5A1E8A5218,SHA256=AFC6E92D3FBAF4207A699B52B8405ADB0D666E82AE0352E5BB67D2E2454BB7C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:46.851{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59217-false10.0.1.12-8000- 354300x8000000000000000975738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:46.827{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-21161-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:49.395{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3F38856009931C13733AA3B30F3A34,SHA256=3EC890F7483F6309906C2BB32C97750FE92C65EAABA8BC5D70D7A4AEDE02282C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:49.408{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7846835F6319D328345457710E8FA21,SHA256=DA8EA7E8B48EB7D7448A0048B624CA6B5F3F49D3C77A7E2CC5E2A89341B8BCE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:47.775{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64418-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000975742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:47.087{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64712-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:50.630{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B65DC6F750D276B94A19F3C0C493A9F9,SHA256=7860A2959C91849A76642D994FC26AC915A0AE245E978F94C51139E2F956ACD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:48.748{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49171-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:50.123{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907EAE635C72DEEE3CF1D243046E1DD6,SHA256=0188930781580901CAFC9B48C50C197EBC05EE837F0D4F4BBB9D256523AC1654,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:50.005{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF703F6E5E7EFA11EF5213E4CB749C0D,SHA256=2419596C1B710D9D4CE38EA294C6A3B67EAB4A280B45F788824C1BEAC0727AC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:51.864{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0018AEC6EE98AAFA539DC86643D07559,SHA256=7EABA945EB8267C06BF5A7FFB3651F5A8EAD8EC00FCBD14D6D4FE21920E19780,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:51.661{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8613DDA4E1C2226693F9572DD68F9CB,SHA256=2BCD09587E04500443EB4D85B8CE9DDA243D475968E1963C8E9B55B4CD80374F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:51.207{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E14315ED6CAE27553C5CAC919398F35,SHA256=6A1364343805C2BC9F47E00406E5386A8596D7DFC1830A5765C3D3F7FE06C73C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:52.864{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7D6E1EE2AEC2CD239666813C447325C,SHA256=3D8A2ECCE9C27B72B6CF7143BC05FD2B31486D206F44453A8A6210A9969B4923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:52.208{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55C1FFBDF73521CCC9480642E3DD81CF,SHA256=555C3276E6ED49A0E127D00C3BA0951505A9B94B734340FD1C9D36E19A0912A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:53.895{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A270206369E3DAB953CBAA703D09996C,SHA256=48F12643B475117542F94C35497983C1A4CB0162986FF41C0ADDA416D25372D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:53.407{5EBD8912-7F30-614D-0D00-00000000FC01}8886076C:\Windows\system32\svchost.exe{5EBD8912-7F2F-614D-0C00-00000000FC01}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:53.254{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0B8763740CF39A5A0CB95479D03E65,SHA256=240EBE0E67DDB0587DF58636655C4975F29F9359101E22E149FFCDCC2F212BAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:53.567{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=794BA720DF98B3F9FD25AE9567427248,SHA256=8857E10CFEBA1CAB501870E6EB1365FDFDD35506491D21A7D81CC3F0823CA686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:54.911{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A96C1AAF6D03D50C8D5A7DD001E5FFA,SHA256=18EB3033E8B5780F9F3F166106BBBAFC53031188CA889ED4BA63D93907C558A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:54.822{5EBD8912-8792-6151-D479-00000000FC01}13562204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:54.653{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8792-6151-D479-00000000FC01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:54.653{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:54.653{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:54.653{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:54.653{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8792-6151-D479-00000000FC01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:54.653{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:54.653{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8792-6151-D479-00000000FC01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:54.640{5EBD8912-8792-6151-D479-00000000FC01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001047259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:54.269{5EBD8912-8792-6151-D379-00000000FC01}49525340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:54.269{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED6D8DAA7EFE6D45FB525873B5B485FA,SHA256=5209BBB0E77761EF9E2D8CC88266D220F8B4C5DC18F64153DFC564FC49F0AA8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:50.894{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-50635-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000975749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:50.203{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50249-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000975748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:49.712{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-55581-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001047257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:54.107{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8792-6151-D379-00000000FC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:54.091{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:54.091{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:54.091{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:54.091{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:54.091{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8792-6151-D379-00000000FC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:54.091{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8792-6151-D379-00000000FC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:54.086{5EBD8912-8792-6151-D379-00000000FC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000975752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:55.926{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74FBCF38A48CE34F3F5D5157587CF01F,SHA256=DFAEF38984EF77F19194817BF033B2EDB496613967D2CEF38313AB1160D18BE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:55.953{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8793-6151-D679-00000000FC01}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:55.953{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:55.953{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:55.953{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8793-6151-D679-00000000FC01}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:55.953{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:55.953{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:55.953{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8793-6151-D679-00000000FC01}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:55.938{5EBD8912-8793-6151-D679-00000000FC01}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001047281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:53.877{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49172-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001047280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:55.453{5EBD8912-8793-6151-D579-00000000FC01}68606036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:55.291{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F0E08AA6E3918F1E9A68E65EAD02895,SHA256=33A380C1508F43B717145E143225ACAA2B8C40EADAC27FBA23C604C24C6E5700,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:55.269{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8793-6151-D579-00000000FC01}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:55.269{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:55.269{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:55.269{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:55.269{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:55.269{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8793-6151-D579-00000000FC01}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:55.269{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8793-6151-D579-00000000FC01}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:55.254{5EBD8912-8793-6151-D579-00000000FC01}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:55.107{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=283B8F6E668C74ED148216FD9A7B7F0A,SHA256=EA229534C6ECEDF600E371007C3F14DE097B971E9774E0F80057CF88D295ABAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:55.107{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=929AB90D590F94BFE1ADE6CA0BA9EFB6,SHA256=A10F8D53AF00368BBE1E1F91BECF22A559A60E3C4C4A5816599D1781BC09E7C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:56.926{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D2E711706C31E332BED7E0AB0E1AFCD,SHA256=CB65A770010DAE7CC1178F1E18604A548E11D38C5ABE481BA331432A564E4A3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:56.307{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=357A5B22C9265F6A835C54E34A6ACC69,SHA256=ED2F4EA5D0B70C644CA63972C1A4619F9BFF6170BA54782E572887E4AB311A65,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:51.867{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59218-false10.0.1.12-8000- 23542300x80000000000000001047290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:56.269{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=283B8F6E668C74ED148216FD9A7B7F0A,SHA256=EA229534C6ECEDF600E371007C3F14DE097B971E9774E0F80057CF88D295ABAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:57.942{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89305DE0EF7A1B604D300B292AFEDF9F,SHA256=92186FECCE14AB04B43EC9131A9123A91A178B357C472007D50E9F51A1515B4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:57.307{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1742910F7F5650B583E570EAE26DD24B,SHA256=61C9D3B4E280B752E2CA64024A881EBFA59D772129E5A393672230E0BC0E5128,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:53.968{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-4301-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:58.958{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F42F174845544D829A149D4AF7D19895,SHA256=3E4A671CE7C1F4A209C39D59F7C0C90B904C1BFF57307CBFF4F963BA7AB5CBE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:58.309{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBE426F00D7A216EC9DB53D91F74623E,SHA256=6827FB6870ED4390C7B0C2C301E1E244129EE8DA47E81105BBB1FBD0C1D2384A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:55.295{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53436-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:58.020{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DE3B67B836D6F0CC316A64DC8BA3269,SHA256=A609B7F22A51FEEF89B2222EDE3F024E0C36CDF308B55599248C4DF042ED3D85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:59.973{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18D7623936C8D81F40307C340F9DABD9,SHA256=AAEAFD04F65E39C210B1A64E143D6FA8D4A0A31B76D9EA8AEDD6600A1760662D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:59.311{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DCE03327EAB6B45E0B92FE4173157AB,SHA256=E984D1316F855180F4AA83E611E0ED17784049BD4C800E29C68C5DC822832B1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:58:00.975{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC502D5DFCBA63B5EEF30344782072E1,SHA256=3DE53AD4AEDAE66CA026332148123DACF3D20D3AB82A9E72738683397A4C259C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:58.391{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54769-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:58:00.374{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2616B284084190B37614061FBD5CF74,SHA256=21E1A26DE803DF8B9CA2A0C0F4C09E74B6B4ADE27C6FFA28831F9FE4AC09F845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:58:01.991{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C625077ED116B9ACBAEF6361DB003473,SHA256=473E90D9E78C2457B9950446EE50B62B0FD97BD632FF2769757BEDC894C99529,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:57:59.881{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49173-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:58:01.475{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57CAAFCC2CF486598C31FE07D462B4A0,SHA256=7F08ACE73F9CA59672FB69D18F411885CF462A581B5A44318BC1C19670DE06F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:57:57.882{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59219-false10.0.1.12-8000- 23542300x80000000000000001047297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:58:01.092{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1E0756AB6526B6F795CAF22E1F8BC40,SHA256=2290AC77829C1A277B1A53296F5639D79129F166162F1B34778706FDB9BD975C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:58:02.993{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93AFCAD205561A1E5EF7904A553229CE,SHA256=8579CD2F442244628280866358FC7FE596405843F175804281C458D0510C076A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:58:02.512{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB1A71E52F5F30286CB16029A15E854E,SHA256=B02DF3BFAD8F69CD1B4F4CD168AA7498E7D7C40400653F02D667CD16F9A122B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:58:03.993{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9946E7858A83F473EB9092BA323CB8A2,SHA256=8DD5B890C6C6359570055B60FE32B04B8D14543E6609C71BC9FE6DF061A22BBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:58:01.630{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63627-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:58:03.544{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D3DDA521D6B9548C137465C6F88C3D,SHA256=F52C6A5352AF971DD33A667D3B7FC8F7BD6C027B27C36ECF46B9FD60EF813407,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:58:00.067{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-39810-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001047301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:58:03.244{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C66F9527A3E28DB99AC4F4B0820A6E5,SHA256=87371674A960FB63C5BFC89C7919ED0793985B24C302C082AE5972DE896EDC6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:58:04.549{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A93A2E75A33E6F2441A957D91E9ACD2C,SHA256=9B326F2E71C3B9DB4B5B4257D257D41BFB862149C89B075B8F0B1AFEAD277EF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:58:05.568{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B250208409AA31FD516DFAF58FABB0DC,SHA256=BC9D011CB33774179B08081108CA89365451C11077794776D402EE4B5C5C0CE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:58:05.040{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9771A2574E1438B2176687D8BFC9461C,SHA256=E4E90DD2A62B09AC7BA12CA90C0CA3D09975E77004F874F973B096A90E073C34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:58:05.040{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4A3E63893AFB53A32D41D25DE5917C0,SHA256=8065CB087BF04BA98E5785723C72BA3EB261E458AC7873604DADCF0BC47F0671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:58:05.009{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3544AD3739930719E222570ED26010A1,SHA256=CA7B061D92E51FAF2318E6BB15EB8DA7D94D834F3D27B7A825F19444FA2F15A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:58:06.582{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A19BFD921B8740041AE9B694925323CA,SHA256=C94EEDFE47D33442F9C264BE9C61EC2FF7697231C5C7F48D4670A82DC6DB1FB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:58:03.792{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59220-false10.0.1.12-8000- 23542300x8000000000000000975770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:58:06.024{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF958F828A2A2CFE65BCCB187015560A,SHA256=D20DDFE17EB3A2084461ABF75B5775965E5F19A052FCEF26CF925BF98072A611,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:58:07.921{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=83E911BAFA7CD9C72496F2AF9E00493D,SHA256=3E556DBB389270ECA3C50ED4F8E99E6EC0DEA325789FB7F10A256514FB3D0A31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:58:07.921{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=9624D9B7458746D9F88B6833700095E3,SHA256=2FFD2444C613BC6B325D4911B38AADC8B82DD05F99C69AC641B93C05AB5FF464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:58:07.921{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=A6F56D58187292CF121EB310F7935365,SHA256=E6B205FC2D953C9EA7FC11FFBEB4335B520289ACCC2C64023B25F736BC97EB72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:58:07.921{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=C69AB6609EE7F613351FE913910D59DD,SHA256=680017AAA00493DA87E27FE68BA386796396265E37713997ACFC1B9F1ED5EDC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:58:07.921{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=DC9E5454BE397A5E3F5B01D971885E50,SHA256=58EF76EDFA3E234A84E1565EB04D3E9DE89B2DAAF1E738F9A6B11A01BAE42195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:58:07.921{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=797EBFD10D3FFDE085F9CE96B165A580,SHA256=A1EDC4AE948321EF2C83DCFA47F2AA230AF0986149E255C2E40C557CA87B4648,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:58:05.759{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49174-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:58:07.583{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C5E2B682AAEEFA2A4247AFD4DA64401,SHA256=A649AD18F637B2D87FCDC667FA037502A480D29196BBFF855AE4113443A11E34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:58:04.043{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-9641-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:58:07.134{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9771A2574E1438B2176687D8BFC9461C,SHA256=E4E90DD2A62B09AC7BA12CA90C0CA3D09975E77004F874F973B096A90E073C34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:58:07.040{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D1A0AC17AB77E47FE8DDB45E09FEF68,SHA256=0AEC6F7BF3E03FA64869D0290F3A6AC5FC48ED5C8041AC361DC2CADC008BE2D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:58:08.587{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F39AAC3BB92DF8B2048FE72F897426,SHA256=588831ED330A3A8E6C0EB319ACA2A3150F958EBB2E6912C2A5D16998B168E75C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000975776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:58:06.114{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-22060-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000975775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:58:08.056{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B85F8408135C6DC8466ACBD4B05C98,SHA256=9741B2EC981F498BABA52DCB574AD093AD363B81931E47033DAA073B6BB3616A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:58:09.609{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E5C3C7E091FCA1989E62CFA1145630,SHA256=09BDFF8658FA68B21F5302C70C615B4FABE913B4DB102FE7D55ED17BEACE06E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:58:09.337{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2480C71FB0DC4FD95798ECEC107258E3,SHA256=032F09E23078A013246C82A491ADE6FD840E15530873A84CD9FCACD27846F154,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:58:09.071{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F96D7DB7DA3A4F692692BC5017FEEFA,SHA256=1737E0977F9CCF6F0B7A69BC704C1CA3AFBEF495166343119CD15FFC91714322,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:58:07.748{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60623-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:58:09.406{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B3F89FEBA34BEC3604A380621048587,SHA256=AD5FD9F0DBB00162D78826D098A59C1A8B07EA5A110F3CA10ED38820E9C050DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:58:09.404{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8D9D5E2B5285CD774685931D87DF9E1,SHA256=3CD13F52F960133CF932C39F90D6789EF6E8E7817B5B56F573AAFB914FD4C470,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:58:10.727{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD59F05C739602CDDDA4FE73B9ACB925,SHA256=9514A4FF3152AFFEF089A9B40C3B77DA32E38C5B7A170CC4381AA7D1CFFB26BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000975779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:58:10.071{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3CE50B0C37E2FE0F17E35EE264D8E72,SHA256=3464CC7F528CFB578480319196A0693C590C5C49E5B9DFA8B3EF1C0652CBDD47,IMPHASH=00000000000000000000000000000000falsetrue